From: Daniel Borkmann <dborkman@redhat.com>
To: Mathias Krause <minipli@googlemail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH net] filter: prevent nla extensions to peek beyond the end of the message
Date: Sun, 13 Apr 2014 19:34:45 +0200 [thread overview]
Message-ID: <534ACAB5.5030500@redhat.com> (raw)
In-Reply-To: <1397406213-15452-1-git-send-email-minipli@googlemail.com>
On 04/13/2014 06:23 PM, Mathias Krause wrote:
> The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
> for a minimal message length before testing the supplied offset to be
> within the bounds of the message. This allows the subtraction of the nla
> header to underflow and therefore -- as the data type is unsigned --
> allowing far to big offset and length values for the search of the
> netlink attribute.
>
> The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
> also wrong. It has the minuend und subtrahend mixed up, therefore
> calculates a huge length value, allowing to overrun the end of the
> message while looking for the netlink attribute.
>
> The following three BPF snippets will trigger the bugs when attached to
> a UNIX datagram socket and parsing a message with length 1, 2 or 3.
>
> ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
> | ld #0x87654321
> | ldx #42
> | ld #nla
> | ret a
> `---
>
> ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
> | ld #0x87654321
> | ldx #42
> | ld #nlan
> | ret a
> `---
>
> ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
> | ; (needs a fake netlink header at offset 0)
> | ld #0
> | ldx #42
> | ld #nlan
> | ret a
> `---
>
> Fix the first issue by ensuring the message length fulfills the minimal
> size constrains of a nla header. Fix the second bug by getting the math
> for the remainder calculation right.
>
> Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
> Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
> Cc: Patrick McHardy <kaber@trash.net>
> Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
next prev parent reply other threads:[~2014-04-13 17:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-13 16:23 [PATCH net] filter: prevent nla extensions to peek beyond the end of the message Mathias Krause
2014-04-13 17:34 ` Daniel Borkmann [this message]
2014-04-14 3:33 ` David Miller
2014-04-14 5:53 ` Mathias Krause
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=534ACAB5.5030500@redhat.com \
--to=dborkman@redhat.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=minipli@googlemail.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.