This is a note to let you know that I've just added the patch titled
inet_diag: validate port comparison byte code to prevent unsafe reads
to the 3.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
inet_diag-validate-port-comparison-byte-code-to-prevent-unsafe-reads.patch
and it can be found in the queue-3.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From cd82550381feeb004a3afddffcf9f911763f051a Mon Sep 17 00:00:00 2001
From: Neal Cardwell <[email protected]>
Date: Sun, 9 Dec 2012 11:09:54 +0000
Subject: inet_diag: validate port comparison byte code to prevent unsafe reads
From: Neal Cardwell <[email protected]>
[ Upstream commit 5e1f54201cb481f40a04bc47e1bc8c093a189e23 ]
Add logic to verify that a port comparison byte code operation
actually has the second inet_diag_bc_op from which we read the port
for such operations.
Previously the code blindly referenced op[1] without first checking
whether a second inet_diag_bc_op struct could fit there. So a
malicious user could make the kernel read 4 bytes beyond the end of
the bytecode array by claiming to have a whole port comparison byte
code (2 inet_diag_bc_op structs) when in fact the bytecode was not
long enough to hold both.
Signed-off-by: Neal Cardwell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/inet_diag.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -552,6 +552,17 @@ static bool valid_hostcond(const struct
return true;
}
+/* Validate a port comparison operator. */
+static inline bool valid_port_comparison(const struct inet_diag_bc_op *op,
+ int len, int *min_len)
+{
+ /* Port comparisons put the port in a follow-on inet_diag_bc_op. */
+ *min_len += sizeof(struct inet_diag_bc_op);
+ if (len < *min_len)
+ return false;
+ return true;
+}
+
static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
{
const void *bc = bytecode;
@@ -567,24 +578,30 @@ static int inet_diag_bc_audit(const void
case INET_DIAG_BC_D_COND:
if (!valid_hostcond(bc, len, &min_len))
return -EINVAL;
- /* fall through */
- case INET_DIAG_BC_AUTO:
+ break;
case INET_DIAG_BC_S_GE:
case INET_DIAG_BC_S_LE:
case INET_DIAG_BC_D_GE:
case INET_DIAG_BC_D_LE:
- case INET_DIAG_BC_JMP:
- if (op->no < min_len || op->no > len + 4 || op->no & 3)
- return -EINVAL;
- if (op->no < len &&
- !valid_cc(bytecode, bytecode_len, len - op->no))
+ if (!valid_port_comparison(bc, len, &min_len))
return -EINVAL;
break;
+ case INET_DIAG_BC_AUTO:
+ case INET_DIAG_BC_JMP:
case INET_DIAG_BC_NOP:
break;
default:
return -EINVAL;
}
+
+ if (op->code != INET_DIAG_BC_NOP) {
+ if (op->no < min_len || op->no > len + 4 || op->no & 3)
+ return -EINVAL;
+ if (op->no < len &&
+ !valid_cc(bytecode, bytecode_len, len - op->no))
+ return -EINVAL;
+ }
+
if (op->yes < min_len || op->yes > len + 4 || op->yes & 3)
return -EINVAL;
bc += op->yes;
Patches currently in stable-queue which might be from [email protected] are
queue-3.6/inet_diag-validate-byte-code-to-prevent-oops-in-inet_diag_bc_run.patch
queue-3.6/ipv4-avoid-passing-null-to-inet_putpeer-in-icmpv4_xrlim_allow.patch
queue-3.6/inet_diag-validate-port-comparison-byte-code-to-prevent-unsafe-reads.patch
queue-3.6/inet_diag-avoid-unsafe-and-nonsensical-prefix-matches-in-inet_diag_bc_run.patch
queue-3.6/inet_diag-fix-oops-for-ipv4-af_inet6-tcp-syn-recv-state.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
