Patchwork Hardy CVE-2010-3880, inet_diag: Make sure we actually run the same bytecode we audited

login
register
mail settings
Submitter Tim Gardner
Date Feb. 2, 2011, 7:03 p.m.
Message ID <20110202190335.46C19F89F8@sepang.rtg.net>
Download mbox
Permalink /patch/81517/
State Accepted
Delegated to: Stefan Bader
Headers show

Pull-request

git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-3880

Comments

Tim Gardner - Feb. 2, 2011, 7:03 p.m.
The following changes since commit 093c92021633ce7cb8f884704215eff5a0616c50:
  Kulikov Vasiliy (1):
        net: tipc: fix information leak to userland, CVE-2010-3877

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-3880

Nelson Elhage (1):
      inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880

 include/net/netlink.h |    2 +-
 net/ipv4/inet_diag.c  |   27 ++++++++++++++++-----------
 2 files changed, 17 insertions(+), 12 deletions(-)

From 885497675fb9365d5b38b278618fff76e3cc7938 Mon Sep 17 00:00:00 2001
From: Nelson Elhage <nelhage@ksplice.com>
Date: Wed, 3 Nov 2010 16:35:41 +0000
Subject: [PATCH] inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880

BugLink: http://bugs.launchpad.net/bugs/711865

CVE-2010-3880

We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.

Fix this by consistently using nlmsg_find_attr everywhere.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 include/net/netlink.h |    2 +-
 net/ipv4/inet_diag.c  |   27 ++++++++++++++++-----------
 2 files changed, 17 insertions(+), 12 deletions(-)
Tim Gardner - Feb. 2, 2011, 7:11 p.m.
Postpone this one for a bit. The custom binary openvz flavour is failing.

rtg