From patchwork Tue Jul 26 18:51:21 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 106909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 83FA6B6F7F for ; Wed, 27 Jul 2011 04:51:37 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qlmj1-00031r-Rz; Tue, 26 Jul 2011 18:51:27 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Qlmiy-0002z0-F3 for kernel-team@lists.ubuntu.com; Tue, 26 Jul 2011 18:51:24 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1Qlmix-00032n-JJ for ; Tue, 26 Jul 2011 18:51:23 +0000 Received: from [85.210.144.167] (helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Qlmix-0002aP-Fo for kernel-team@lists.ubuntu.com; Tue, 26 Jul 2011 18:51:23 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [maverick/ti-omap4 CVE 1/1] bridge: netfilter: fix information leak Date: Tue, 26 Jul 2011 19:51:21 +0100 Message-Id: <1311706281-14238-3-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1311706281-14238-1-git-send-email-apw@canonical.com> References: <1311706281-14238-1-git-send-email-apw@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Vasiliy Kulikov Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov Signed-off-by: Patrick McHardy (cherry picked from commit d846f71195d57b0bbb143382647c2c6638b04c5a) CVE-2011-1080 BugLink: http://bugs.launchpad.net/bugs/816545 Signed-off-by: Andy Whitcroft --- net/bridge/netfilter/ebtables.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 59ca00e..62675dc 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1098,6 +1098,8 @@ static int do_replace(struct net *net, const void __user *user, if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) return -ENOMEM; + tmp.name[sizeof(tmp.name) - 1] = 0; + countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; newinfo = vmalloc(sizeof(*newinfo) + countersize); if (!newinfo)