[PATCH] bridge: netfilter: fix information leak

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] bridge: netfilter: fix information leak
@ 2011-02-14 10:54 Vasiliy Kulikov
  2011-02-14 15:50 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
  To: linux-kernel
  Cc: security, Bart De Schuymer, Patrick McHardy, Stephen Hemminger,
	David S. Miller, ebtables-user, ebtables-devel, netfilter-devel,
	netfilter, coreteam, bridge, netdev

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
 Compile tested.

 net/bridge/netfilter/ebtables.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825d..1ea820b 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name)-1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] bridge: netfilter: fix information leak
  2011-02-14 10:54 [PATCH] bridge: netfilter: fix information leak Vasiliy Kulikov
@ 2011-02-14 15:50 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2011-02-14 15:50 UTC (permalink / raw)
  To: Vasiliy Kulikov
  Cc: linux-kernel, security, Bart De Schuymer, Stephen Hemminger,
	David S. Miller, ebtables-user, ebtables-devel, netfilter-devel,
	netfilter, coreteam, bridge, netdev

Am 14.02.2011 11:54, schrieb Vasiliy Kulikov:
> Struct tmp is copied from userspace.  It is not checked whether the "name"
> field is NULL terminated.  This may lead to buffer overflow and passing
> contents of kernel stack as a module name to try_then_request_module() and,
> consequently, to modprobe commandline.  It would be seen by all userspace
> processes.
> 
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>

Applied, thanks Vasiliy.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-02-14 15:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-14 10:54 [PATCH] bridge: netfilter: fix information leak Vasiliy Kulikov
2011-02-14 15:50 ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).