[patch] ipvs: info leak in __ip_vs_get_dest

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] ipvs: info leak in __ip_vs_get_dest_entries()
@ 2013-06-03  9:00 Dan Carpenter
  2013-06-03 20:00 ` Julian Anastasov
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Dan Carpenter @ 2013-06-03  9:00 UTC (permalink / raw)
  To: Wensong Zhang
  Cc: Simon Horman, Julian Anastasov, Pablo Neira Ayuso,
	Patrick McHardy, Jozsef Kadlecsik, David S. Miller, netdev,
	lvs-devel, netfilter-devel, netfilter, coreteam, kernel-janitors

The entry struct has a 2 byte hole after ->port and another 4 byte
hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
namespace to hit this information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index df05c1c..e336535 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
 		struct ip_vs_dest *dest;
 		struct ip_vs_dest_entry entry;
 
+		memset(&entry, 0, sizeof(entry));
 		list_for_each_entry(dest, &svc->destinations, n_list) {
 			if (count >= get->num_dests)
 				break;

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [patch] ipvs: info leak in __ip_vs_get_dest_entries()
  2013-06-03  9:00 [patch] ipvs: info leak in __ip_vs_get_dest_entries() Dan Carpenter
@ 2013-06-03 20:00 ` Julian Anastasov
  2013-06-04  1:03 ` Simon Horman
  2013-06-10  8:38 ` Simon Horman
  2 siblings, 0 replies; 6+ messages in thread
From: Julian Anastasov @ 2013-06-03 20:00 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Wensong Zhang, Simon Horman, Pablo Neira Ayuso, Patrick McHardy,
	Jozsef Kadlecsik, David S. Miller, netdev, lvs-devel,
	netfilter-devel, netfilter, coreteam, kernel-janitors


	Hello,

On Mon, 3 Jun 2013, Dan Carpenter wrote:

> The entry struct has a 2 byte hole after ->port and another 4 byte
> hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
> namespace to hit this information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Acked-by: Julian Anastasov <ja@ssi.bg>

> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index df05c1c..e336535 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
>  		struct ip_vs_dest *dest;
>  		struct ip_vs_dest_entry entry;
>  
> +		memset(&entry, 0, sizeof(entry));
>  		list_for_each_entry(dest, &svc->destinations, n_list) {
>  			if (count >= get->num_dests)
>  				break;

Regards

--
Julian Anastasov <ja@ssi.bg>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [patch] ipvs: info leak in __ip_vs_get_dest_entries()
  2013-06-03  9:00 [patch] ipvs: info leak in __ip_vs_get_dest_entries() Dan Carpenter
  2013-06-03 20:00 ` Julian Anastasov
@ 2013-06-04  1:03 ` Simon Horman
  2013-06-07  8:33   ` Dan Carpenter
  2013-06-10  8:38 ` Simon Horman
  2 siblings, 1 reply; 6+ messages in thread
From: Simon Horman @ 2013-06-04  1:03 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Wensong Zhang, Julian Anastasov, Pablo Neira Ayuso,
	Patrick McHardy, Jozsef Kadlecsik, David S. Miller, netdev,
	lvs-devel, netfilter-devel, netfilter, coreteam, kernel-janitors

On Mon, Jun 03, 2013 at 12:00:49PM +0300, Dan Carpenter wrote:
> The entry struct has a 2 byte hole after ->port and another 4 byte
> hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
> namespace to hit this information leak.

Hi Dan,

can I verify that it is actually possible to hit this and
thus the patch is a -stable candidate?

> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index df05c1c..e336535 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
>  		struct ip_vs_dest *dest;
>  		struct ip_vs_dest_entry entry;
>  
> +		memset(&entry, 0, sizeof(entry));
>  		list_for_each_entry(dest, &svc->destinations, n_list) {
>  			if (count >= get->num_dests)
>  				break;
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [patch] ipvs: info leak in __ip_vs_get_dest_entries()
  2013-06-04  1:03 ` Simon Horman
@ 2013-06-07  8:33   ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2013-06-07  8:33 UTC (permalink / raw)
  To: Simon Horman
  Cc: Wensong Zhang, Julian Anastasov, Pablo Neira Ayuso,
	Patrick McHardy, Jozsef Kadlecsik, David S. Miller, netdev,
	lvs-devel, netfilter-devel, netfilter, coreteam, kernel-janitors

On Mon, Jun 03, 2013 at 06:03:27PM -0700, Simon Horman wrote:
> On Mon, Jun 03, 2013 at 12:00:49PM +0300, Dan Carpenter wrote:
> > The entry struct has a 2 byte hole after ->port and another 4 byte
> > hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
> > namespace to hit this information leak.
> 
> Hi Dan,
> 
> can I verify that it is actually possible to hit this and
> thus the patch is a -stable candidate?

This is a static checker fix.  To me it seems like it's obviously a
real info leak.

I'm not certain of the impact though.  CLONE_NEWNET requires
CAP_SYS_ADMIN but on the other hand people are making virtualization
products where they give everyone their own namespace with admin
privileges.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [patch] ipvs: info leak in __ip_vs_get_dest_entries()
  2013-06-03  9:00 [patch] ipvs: info leak in __ip_vs_get_dest_entries() Dan Carpenter
  2013-06-03 20:00 ` Julian Anastasov
  2013-06-04  1:03 ` Simon Horman
@ 2013-06-10  8:38 ` Simon Horman
  2013-06-10 12:58   ` Pablo Neira Ayuso
  2 siblings, 1 reply; 6+ messages in thread
From: Simon Horman @ 2013-06-10  8:38 UTC (permalink / raw)
  To: Dan Carpenter, Pablo Neira Ayuso
  Cc: Wensong Zhang, Julian Anastasov, Patrick McHardy,
	Jozsef Kadlecsik, David S. Miller, netdev, lvs-devel,
	netfilter-devel, netfilter, coreteam, kernel-janitors

On Mon, Jun 03, 2013 at 12:00:49PM +0300, Dan Carpenter wrote:
> The entry struct has a 2 byte hole after ->port and another 4 byte
> hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
> namespace to hit this information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Signed-off-by: Simon Horman <horms@verge.net.au>

Pablo, could you take this directly into your tree.
If possible for v3.10. It also appears to be relevant for stable.

> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index df05c1c..e336535 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -2542,6 +2542,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
>  		struct ip_vs_dest *dest;
>  		struct ip_vs_dest_entry entry;
>  
> +		memset(&entry, 0, sizeof(entry));
>  		list_for_each_entry(dest, &svc->destinations, n_list) {
>  			if (count >= get->num_dests)
>  				break;
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [patch] ipvs: info leak in __ip_vs_get_dest_entries()
  2013-06-10  8:38 ` Simon Horman
@ 2013-06-10 12:58   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-10 12:58 UTC (permalink / raw)
  To: Simon Horman
  Cc: Dan Carpenter, Wensong Zhang, Julian Anastasov, Patrick McHardy,
	Jozsef Kadlecsik, David S. Miller, netdev, lvs-devel,
	netfilter-devel, netfilter, coreteam, kernel-janitors

On Mon, Jun 10, 2013 at 05:38:50PM +0900, Simon Horman wrote:
> On Mon, Jun 03, 2013 at 12:00:49PM +0300, Dan Carpenter wrote:
> > The entry struct has a 2 byte hole after ->port and another 4 byte
> > hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
> > namespace to hit this information leak.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Signed-off-by: Simon Horman <horms@verge.net.au>
> 
> Pablo, could you take this directly into your tree.

Applied, thanks Simon.

> If possible for v3.10. It also appears to be relevant for stable.

Sure, will do.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-06-10 12:58 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-03  9:00 [patch] ipvs: info leak in __ip_vs_get_dest_entries() Dan Carpenter
2013-06-03 20:00 ` Julian Anastasov
2013-06-04  1:03 ` Simon Horman
2013-06-07  8:33   ` Dan Carpenter
2013-06-10  8:38 ` Simon Horman
2013-06-10 12:58   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).