From patchwork Thu Jun 5 14:31:52 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 356456 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 9D59714008F; Fri, 6 Jun 2014 00:32:10 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WsYi1-0004vA-UP; Thu, 05 Jun 2014 14:32:01 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WsYhv-0004ux-CK for kernel-team@lists.ubuntu.com; Thu, 05 Jun 2014 14:31:55 +0000 Received: from [188.251.61.214] (helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1WsYhv-0005PH-5s for kernel-team@lists.ubuntu.com; Thu, 05 Jun 2014 14:31:55 +0000 From: Luis Henriques To: kernel-team@lists.ubuntu.com Subject: [Lucid][Precise/lts-backport-quantal][CVE-2014-3144][CVE-2014-3145] filter: prevent nla extensions to peek beyond the end of the message Date: Thu, 5 Jun 2014 15:31:52 +0100 Message-Id: <1401978713-21362-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.9.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com Following this email, I'm sending the CVE-2014-3144 and CVE-2014-3145 fix (same commit), both for Lucid and lts-backport-quantal. The backport of the fix is based on David Miller's backports for 3.2.y and 3.4.y stable kernels. However, the original backport contained what I initially thought was duplicated code: After reporting upstream[1], it ended up being a bug in patch (the tool), and Mathias Krause provided a correct fix for these 2 kernels. [1] http://thread.gmane.org/gmane.linux.kernel.stable/92920/focus=1718967 Mathias Krause (1): filter: prevent nla extensions to peek beyond the end of the message net/core/filter.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/filter.c b/net/core/filter.c index 5dea452..5b4d7ec 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -336,11 +336,15 @@ load_b: if (skb_is_nonlinear(skb)) return 0; + if (skb->len < sizeof(struct nlattr)) + return 0; + if (skb->len < sizeof(struct nlattr)) + return 0; if (A > skb->len - sizeof(struct nlattr)) return 0; nla = (struct nlattr *)&skb->data[A]; - if (nla->nla_len > A - skb->len) + if (nla->nla_len > skb->len - A) return 0; nla = nla_find_nested(nla, X);