From patchwork Wed Jan 31 13:04:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 867918 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zWk4L2f0Pz9s4s; Thu, 1 Feb 2018 00:05:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1egs4R-0003AO-A7; Wed, 31 Jan 2018 13:04:59 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1egs4Q-00039n-EV for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 13:04:58 +0000 Received: from mail-wm0-f69.google.com ([74.125.82.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1egs4Q-0006ZC-7G for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 13:04:58 +0000 Received: by mail-wm0-f69.google.com with SMTP id c142so2246724wmh.4 for ; Wed, 31 Jan 2018 05:04:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ctH0tlzMaVAtFVFH8LwLeqACxHhtlK10s1sSRgD7YI4=; b=s/cAZ27a/5ECnAsOzWF5qX32pGScuSPumUoaCviV7UYOdhcC0PqTiZoMZBS5z1uEYw tKRBrR9crVveGxeFXKotsjes5gMWxQqkGBflc5XzaAlNrG1CNWXcCQrIa3EyBR7eiE0G Bh/dQzUBoYfIUf5K11H2BYUzarOSwZLAazU0qRjWkXWAzxSdJhxKfWycwCUV+UpQc5WQ FyNyzSrOjrFK9P+5xpj6FZxwHcPKoOHKRo+2VBRp4PGu6MrQ1rYWUAwNS3CclvgvjIlE BUXV6LTTw1J0ABiu9eyDgBng+FTV3neJn5y5hCF0WsYNEUFdnbJPJwXrkbUxZUrut4CO x71w== X-Gm-Message-State: AKwxytfCXLiEh/w8JTQQzkuCHtgsF/49LDXFlkD/eNnjgPOGUHWA7G0D QIifmt3ctsy693FBeRpfS3fpfNj0gE+TjvWaCoq3hBueU3ShXGIXqjfgQZtgqNfzgX481ZY6h+/ Due4pVbpBEMA+PTO/ncsyEOZd4a5yVmQImrNQR6IQkg== X-Received: by 10.28.108.6 with SMTP id h6mr6576754wmc.91.1517403897602; Wed, 31 Jan 2018 05:04:57 -0800 (PST) X-Google-Smtp-Source: AH8x227GYtOQ7V9r0iDbYbDjk0eiN9drFiTTIOvyky1SdCI+Arx8T19HqjaogOWZLZiYKv/oATbsbA== X-Received: by 10.28.108.6 with SMTP id h6mr6576748wmc.91.1517403897390; Wed, 31 Jan 2018 05:04:57 -0800 (PST) Received: from localhost (ip5f5bd4ba.dynamic.kabel-deutschland.de. [95.91.212.186]) by smtp.gmail.com with ESMTPSA id m191sm12408681wma.42.2018.01.31.05.04.55 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 31 Jan 2018 05:04:56 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][T][X][A][B][PATCH 1/1] netfilter: xt_osf: Add missing permission checks Date: Wed, 31 Jan 2018 14:04:51 +0100 Message-Id: <20180131130451.22182-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180131130451.22182-1-kleber.souza@canonical.com> References: <20180131130451.22182-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kevin Cernekee The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, xt_osf_fingers is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso CVE-2017-17450 (cherry picked from commit 916a27901de01446bcf57ecca4783f6cff493309) Signed-off-by: Kleber Sacilotto de Souza --- net/netfilter/xt_osf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c index 647d989a01e6..de49ff18963a 100644 --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c @@ -20,6 +20,7 @@ #include #include +#include #include #include #include @@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb, struct xt_osf_finger *kf = NULL, *sf; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL; @@ -113,6 +117,9 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb, struct xt_osf_finger *sf; int err = -ENOENT; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!osf_attrs[OSF_ATTR_FINGER]) return -EINVAL;