From patchwork Wed Feb 2 18:59:56 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 81515 X-Patchwork-Delegate: stefan.bader@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 46A17B7101 for ; Thu, 3 Feb 2011 06:00:07 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Pkhvv-0008TD-OU; Wed, 02 Feb 2011 19:00:03 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Pkhvt-0008Sv-RR for kernel-team@lists.ubuntu.com; Wed, 02 Feb 2011 19:00:02 +0000 Received: from sepang.rtg.net (unknown [10.0.2.5]) by mail.tpi.com (Postfix) with ESMTP id 68B8E2998F4 for ; Wed, 2 Feb 2011 10:59:36 -0800 (PST) Received: by sepang.rtg.net (Postfix, from userid 1000) id CF640F89F8; Wed, 2 Feb 2011 11:59:56 -0700 (MST) To: kernel-team@lists.ubuntu.com Subject: Lucid CVE-2010-3880, inet_diag: Make sure we actually run the same bytecode we audited Message-Id: <20110202185956.CF640F89F8@sepang.rtg.net> Date: Wed, 2 Feb 2011 11:59:56 -0700 (MST) From: timg@tpi.com (Tim Gardner) X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com The following changes since commit c164bea3e14f2b8da7241f9b756143d6434ac303: Kulikov Vasiliy (1): net: tipc: fix information leak to userland, CVE-2010-3877 are available in the git repository at: git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-3880 Nelson Elhage (1): inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880 include/net/netlink.h | 2 +- net/ipv4/inet_diag.c | 27 ++++++++++++++++----------- 2 files changed, 17 insertions(+), 12 deletions(-) From 55c14fda6f8ef5d2ac75045de14abe21fc69975b Mon Sep 17 00:00:00 2001 From: Nelson Elhage Date: Wed, 3 Nov 2010 16:35:41 +0000 Subject: [PATCH] inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880 BugLink: http://bugs.launchpad.net/bugs/711865 CVE-2010-3880 We were using nlmsg_find_attr() to look up the bytecode by attribute when auditing, but then just using the first attribute when actually running bytecode. So, if we received a message with two attribute elements, where only the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different bytecode strings. Fix this by consistently using nlmsg_find_attr everywhere. Signed-off-by: Nelson Elhage Signed-off-by: Thomas Graf Signed-off-by: David S. Miller (back ported from commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860) Signed-off-by: Tim Gardner Acked-by: Stefan Bader Acked-by: Brad Figg --- include/net/netlink.h | 2 +- net/ipv4/inet_diag.c | 27 ++++++++++++++++----------- 2 files changed, 17 insertions(+), 12 deletions(-)