From: Loic <hackurx@opensec.fr>
To: Jan Engelhardt <jengelh@inai.de>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: [netfilter-core] Heap overflow in xt_geoip.c
Date: Mon, 26 Jun 2017 20:41:13 +0200 [thread overview]
Message-ID: <f2aa016334df64f2e88dc7b0cb802762@opensec.fr> (raw)
In-Reply-To: <nycvar.YFH.7.76.1706252143110.6159@n3.vanv.qr>
Le 2017-06-25 21:45, Jan Engelhardt a écrit :
> On Wednesday 2017-06-21 18:16, Pablo Neira Ayuso wrote:
>
>> Hi Loic,
>>
>> On Tue, Jun 20, 2017 at 08:31:26PM +0200, Loic wrote:
>>> Hi,
>>>
>>> I think there is a problem in the geoip code because I detect this:
>>>
>>> grep -ar "cicus.162_313 max" /usr/src/xtables-addons-2.12/extensions/
>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.o:cicus.162_313 max,
>>> count: 7, decl: vmalloc; num: 1; context: fndecl;
>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.o:/usr/src/xtables-addons-2.12/extensions/xt_geoip.ccicus.162_313
>>> max, count: 5, decl: size_overflow MARK_NO copy_user_generic 3; num:
>>> 0; context: attr;
>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.ko:cicus.162_313
>>> max,
>>> count: 7, decl: vmalloc; num: 1; context: fndecl;
>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.ko:/usr/src/xtables-addons-2.12/extensions/xt_geoip.ccicus.162_313
>>> max, count: 5, decl: size_overflow MARK_NO copy_user_generic 3; num:
>>> 0; context: attr;
>>>
>>> You maybe can draw inspiration for resolve this by "vmalloc_usercopy"
>>> in
>>> PAX_USERCOPY from PaX/Grsecurity.
>>
>> This is out of tree code, Cc'ing Jan, who maintains this.
>
> What is cicus and what are these messages supposed to tell me?
This comes from the size_overflow plugin :
https://github.com/ephox-gcc-plugins/size_overflow
After I'm not an expert I just detected this:
grep -ai size_overflow "xt_geoip.ko"
/usr/src/xtables-addons-2.12/extensions/xt_geoip.ccicus.162_313 max,
count: 5, decl: # size_overflow MARK_NO copy_user_generic 3; num: 0;
context: attr;
--
Best regards,
Loic
next prev parent reply other threads:[~2017-06-26 18:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAFwXZv_CZanNT=MTcA7G_5YtgJ07+2Xf-poXy2dNfv+V=j4iLw@mail.gmail.com>
[not found] ` <59482edb.6385df0a.e863a.a6ca.GMRIR@mx.google.com>
[not found] ` <6358d530697ad564236584c07d2f3cb2@opensec.fr>
[not found] ` <20170621161642.GB6117@salvia>
2017-06-25 19:45 ` [netfilter-core] Heap overflow in xt_geoip.c Jan Engelhardt
2017-06-26 18:41 ` Loic [this message]
2017-06-26 18:49 ` Loic
2017-07-23 12:48 ` Loic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2aa016334df64f2e88dc7b0cb802762@opensec.fr \
--to=hackurx@opensec.fr \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).