Patchwork [hardy,lucid/fsl-imx51,CVE,1/1] bridge: netfilter: fix information leak

login
register
mail settings
Submitter Andy Whitcroft
Date July 26, 2011, 6:51 p.m.
Message ID <1311706281-14238-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/106910/
State New
Headers show

Comments

Andy Whitcroft - July 26, 2011, 6:51 p.m.
From: Vasiliy Kulikov <segoon@openwall.com>

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

(backported from commit d846f71195d57b0bbb143382647c2c6638b04c5a)
CVE-2011-1080
BugLink: http://bugs.launchpad.net/bugs/816545
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/bridge/netfilter/ebtables.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

Patch

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index d575e27..fd87185 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -946,6 +946,8 @@  static int do_replace(void __user *user, unsigned int len)
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)