From patchwork Thu Feb 1 10:29:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 868181 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zXGZY5D8Mz9t3M; Thu, 1 Feb 2018 21:29:41 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ehC7e-0005uM-2A; Thu, 01 Feb 2018 10:29:38 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1ehC7c-0005tK-KR for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2018 10:29:36 +0000 Received: from mail-wr0-f200.google.com ([209.85.128.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1ehC7c-0005rt-DF for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2018 10:29:36 +0000 Received: by mail-wr0-f200.google.com with SMTP id c27so3406761wrg.12 for ; Thu, 01 Feb 2018 02:29:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ljwDCuPqJ1L3YycNO9HuL/b13JSwX6u0F1uKKrfJUiM=; b=nKKxKNajRpdUgjMzWEOX1qp2Z85W12nmHa5zzidKc2By6wr2BdlZcuDp5bBFPNlLlj cghpT3BQYrZr4CLNJDhaaPyE1RXgNwDFfKV3kmrI/IAghdHWgnHEapwSoje3wS8H9F1O PCjvfJ4ZpdvCGecQbdQ6kWcuSW6opr/+0wmq4BfcHlqa00vbAuhe6sPhP4+VKSzdVVyH fKpV5tkqLeH/r/bp6SyYNcL9F7xCv9fZH8FX/5L/8iN/3Czt8VuwxhLR1NA6WJ04fG+X 7OKRBsansVsaJ+7LAdVPN1Hi+BbbBp20TlOiCfYuvNXyl/D5MkxFFoumSSOJgPQQieDG acBg== X-Gm-Message-State: AKwxyte5DfUFRXoC4HGzHtJPYA2ZRUSgXd8biaDNYdLAPEEYLP8JXd+k GdB23gBkm9sEBHMF3RZFhXS1JIWiUIDtC6rfacEE64cMNwCtwuYqEvVali3UmiRPCeQBPAtNKr8 N2zWATX2tzOxtlWKQFIJcjiw4FBYodsMlXUlfMvawdg== X-Received: by 10.223.151.53 with SMTP id r50mr16239590wrb.207.1517480975714; Thu, 01 Feb 2018 02:29:35 -0800 (PST) X-Google-Smtp-Source: AH8x2257BWJl3YYjUznC7WFX8niVEIZhc0CK0haHkrkPoJMdVHi9OGyjLClYvQN9h2lVTbDGjE/sKg== X-Received: by 10.223.151.53 with SMTP id r50mr16239566wrb.207.1517480975414; Thu, 01 Feb 2018 02:29:35 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:e0bc:dea5:ede9:cfef]) by smtp.gmail.com with ESMTPSA id q1sm13322716wrf.40.2018.02.01.02.29.34 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 01 Feb 2018 02:29:34 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Artful][Bionic][PATCH 1/1] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Thu, 1 Feb 2018 11:29:27 +0100 Message-Id: <20180201102927.15920-3-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180201102927.15920-1-kleber.souza@canonical.com> References: <20180201102927.15920-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kevin Cernekee The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso CVE-2017-17448 (cherry picked from commit 4b380c42f7d00a395feede754f0bc2292eebe6e5) Signed-off-by: Kleber Sacilotto de Souza --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index 41628b393673..d33ce6d5ebce 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, struct nfnl_cthelper *nlcth; int ret = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, struct nfnl_cthelper *nlcth; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, struct nfnl_cthelper *nlcth, *n; int j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);