From patchwork Thu Feb 1 10:29:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 868180 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zXGZX58RMz9t3R; Thu, 1 Feb 2018 21:29:40 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ehC7c-0005tb-UC; Thu, 01 Feb 2018 10:29:36 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1ehC7a-0005sn-At for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2018 10:29:34 +0000 Received: from mail-wm0-f69.google.com ([74.125.82.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1ehC7a-0005ro-3e for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2018 10:29:34 +0000 Received: by mail-wm0-f69.google.com with SMTP id f15so1617879wmd.1 for ; Thu, 01 Feb 2018 02:29:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=cxCzBjMpEfNo25xkS/O0DcvkcHzyEG3q3pvL/amGLZI=; b=bv5NSCIfzu2g6diN4YBQDyuVwy7yj4P5Lq4ctZ5nCLmsUMU9HuJW4F9KZqHbAn8NLl aHvMM24g3DtSJkEXVxQ8dOSH3m0kylW+0WDIm9AnLj46IXIso91csej0zNShYupKlVbZ FfDo8e7VLqmvzbj7sNiuSH/Pslp2OdhCGzRJmlbmdDCCpXLsPmHX38gt5cucPVS2aaC9 r+K2PsRxTAMz1YM0PISZKJ21gNTRKH+KczTZNSF5M2gk59zRe0TPhBbk60OQnsUPYabL RkUMHf1Es/tXC3D1zQBZ9eq3Bki3NoSGSAoxNzYFk7exQb66NDzqQBOnOHe3FeZoPaq+ V3Nw== X-Gm-Message-State: AKwxyte/UR4jwRptHo2pErXzCNiMoFzRTKxARNVWe+Y1+ikrw9C/rhGC aFj8EQ5WvLvBlGYHe/U1C9xdLJ5sDV6PTGkEZoW4Qj2NT8Bwt/X8qhvVtV/68r27S8YJ5ueLi5n QGzg0CnKz4qM7hKqiP4o7dkbZmlmcGPEWgGB7mgT8dw== X-Received: by 10.223.187.141 with SMTP id q13mr12657567wrg.65.1517480973428; Thu, 01 Feb 2018 02:29:33 -0800 (PST) X-Google-Smtp-Source: AH8x226PglFRn9vLv84PMZblC1i849/htH0/EoMYXjCsHXvHh59hQvoa6xekRF2+RjzY4Ysr28G2qA== X-Received: by 10.223.187.141 with SMTP id q13mr12657541wrg.65.1517480972992; Thu, 01 Feb 2018 02:29:32 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:e0bc:dea5:ede9:cfef]) by smtp.gmail.com with ESMTPSA id 44sm28458825wrt.46.2018.02.01.02.29.31 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 01 Feb 2018 02:29:32 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PATCH 1/1] netfilter: nfnetlink_cthelper: Add missing permission checks Date: Thu, 1 Feb 2018 11:29:26 +0100 Message-Id: <20180201102927.15920-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180201102927.15920-1-kleber.souza@canonical.com> References: <20180201102927.15920-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kevin Cernekee The capability check in nfnetlink_rcv() verifies that the caller has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. However, nfnl_cthelper_list is shared by all net namespaces on the system. An unprivileged user can create user and net namespaces in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() check: $ nfct helper list nfct v1.4.4: netlink error: Operation not permitted $ vpnns -- nfct helper list { .name = ftp, .queuenum = 0, .l3protonum = 2, .l4protonum = 6, .priv_data_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee Signed-off-by: Pablo Neira Ayuso CVE-2017-17448 (backported from commit 4b380c42f7d00a395feede754f0bc2292eebe6e5) Signed-off-by: Kleber Sacilotto de Souza --- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index 9e287cb56a04..cc8b20e5bb32 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -292,6 +293,9 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb, struct nf_conntrack_tuple tuple; int ret = 0, i; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) return -EINVAL; @@ -506,6 +510,9 @@ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb, struct nf_conntrack_tuple tuple; bool tuple_set = false; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_flags & NLM_F_DUMP) { struct netlink_dump_control c = { .dump = nfnl_cthelper_dump_table, @@ -578,6 +585,9 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb, bool tuple_set = false, found = false; int i, j = 0, ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tb[NFCTH_NAME]) helper_name = nla_data(tb[NFCTH_NAME]);