Message ID | 1347572486-1628-1-git-send-email-minipli@googlemail.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Thu, Sep 13, 2012 at 11:41:26PM +0200, Mathias Krause wrote: > When dump_one_state() returns an error, e.g. because of a too small > buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL > instead of an error pointer. But its callers expect an error pointer > and therefore continue to operate on a NULL skbuff. > > This could lead to a privilege escalation (execution of user code in > kernel context) if the attacker has CAP_NET_ADMIN and is able to map > address 0. Or it simply crashes with a NULL pointer dereference. > > Cc: stable@vger.kernel.org > Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Sep 17, 2012 at 9:16 AM, Steffen Klassert <steffen.klassert@secunet.com> wrote: > On Thu, Sep 13, 2012 at 11:41:26PM +0200, Mathias Krause wrote: >> When dump_one_state() returns an error, e.g. because of a too small >> buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL >> instead of an error pointer. But its callers expect an error pointer >> and therefore continue to operate on a NULL skbuff. >> >> This could lead to a privilege escalation (execution of user code in >> kernel context) if the attacker has CAP_NET_ADMIN and is able to map >> address 0. > > Or it simply crashes with a NULL pointer dereference. ..while holding the xfrm_cfg_mutex, therefore effectively disabling the XFRM netlink interface. So it's at least a DOS in that case ;) Regards, Mathias -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Steffen Klassert <steffen.klassert@secunet.com> Date: Mon, 17 Sep 2012 09:16:42 +0200 > On Thu, Sep 13, 2012 at 11:41:26PM +0200, Mathias Krause wrote: >> When dump_one_state() returns an error, e.g. because of a too small >> buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL >> instead of an error pointer. But its callers expect an error pointer >> and therefore continue to operate on a NULL skbuff. >> >> This could lead to a privilege escalation (execution of user code in >> kernel context) if the attacker has CAP_NET_ADMIN and is able to map >> address 0. > > Or it simply crashes with a NULL pointer dereference. > >> >> Cc: stable@vger.kernel.org >> Signed-off-by: Mathias Krause <minipli@googlemail.com> > > Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Applied, and queued up for -stable. Please do not CC: stable explicitly in your patch submissions, I removed it from the patch. Instead, ask me to queue the patch up for -stable. We handle stable submissed via a patch queue which I maintain at: http://patchwork.ozlabs.org/user/bundle/2566/?state=* so that I can let patches cook in Linus's tree for a length of time of my choosing, rather than having bug fixes automatically propagate the moment it hits Linus's tree. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e75d8e4..dac08e2 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -878,6 +878,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, { struct xfrm_dump_info info; struct sk_buff *skb; + int err; skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); if (!skb) @@ -888,9 +889,10 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, info.nlmsg_seq = seq; info.nlmsg_flags = 0; - if (dump_one_state(x, 0, &info)) { + err = dump_one_state(x, 0, &info); + if (err) { kfree_skb(skb); - return NULL; + return ERR_PTR(err); } return skb;
When dump_one_state() returns an error, e.g. because of a too small buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL instead of an error pointer. But its callers expect an error pointer and therefore continue to operate on a NULL skbuff. This could lead to a privilege escalation (execution of user code in kernel context) if the attacker has CAP_NET_ADMIN and is able to map address 0. Cc: stable@vger.kernel.org Signed-off-by: Mathias Krause <minipli@googlemail.com> --- A test case can be provided on request. net/xfrm/xfrm_user.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)