Patchwork [hardy,CVE,1/1] netfilter: ipt_CLUSTERIP: fix buffer overflow

login
register
mail settings
Submitter Andy Whitcroft
Date July 7, 2011, 9:28 a.m.
Message ID <1310030885-17977-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/103625/
State New
Headers show

Comments

Andy Whitcroft - July 7, 2011, 9:28 a.m.
From: Vasiliy Kulikov <segoon@openwall.com>

'buffer' string is copied from userspace.  It is not checked whether it is
zero terminated.  This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

(cherry picked from commit 961ed183a9fd080cf306c659b8736007e44065a5)
CVE-2011-2534
BugLink: http://bugs.launchpad.net/bugs/801473
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/ipv4/netfilter/ipt_CLUSTERIP.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
Stefan Bader - July 7, 2011, 9:30 a.m.
On 07.07.2011 11:28, Andy Whitcroft wrote:
> From: Vasiliy Kulikov <segoon@openwall.com>
> 
> 'buffer' string is copied from userspace.  It is not checked whether it is
> zero terminated.  This may lead to overflow inside of simple_strtoul().
> Changli Gao suggested to copy not more than user supplied 'size' bytes.
> 
> It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
> root writable only by default, however, on some setups permissions might be
> relaxed to e.g. network admin user.
> 
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> Acked-by: Changli Gao <xiaosuo@gmail.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> (cherry picked from commit 961ed183a9fd080cf306c659b8736007e44065a5)
> CVE-2011-2534
> BugLink: http://bugs.launchpad.net/bugs/801473
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  net/ipv4/netfilter/ipt_CLUSTERIP.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> index 2f544da..6420953 100644
> --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -686,8 +686,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
>  	struct clusterip_config *c = pde->data;
>  	unsigned long nodenum;
>  
> -	if (copy_from_user(buffer, input, PROC_WRITELEN))
> +	if (size > PROC_WRITELEN)
> +		return -EIO;
> +	if (copy_from_user(buffer, input, size))
>  		return -EFAULT;
> +	buffer[size] = 0;
>  
>  	if (*buffer == '+') {
>  		nodenum = simple_strtoul(buffer+1, NULL, 10);

Looks reasonable.

Acked-by: Stefan Bader <stefan.bader@canonical.com>

Patch

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 2f544da..6420953 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -686,8 +686,11 @@  static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
 	struct clusterip_config *c = pde->data;
 	unsigned long nodenum;
 
-	if (copy_from_user(buffer, input, PROC_WRITELEN))
+	if (size > PROC_WRITELEN)
+		return -EIO;
+	if (copy_from_user(buffer, input, size))
 		return -EFAULT;
+	buffer[size] = 0;
 
 	if (*buffer == '+') {
 		nodenum = simple_strtoul(buffer+1, NULL, 10);