[PATCH 09/22] [PATCH] Netfilter: do_add_counters race, possible oops or info leak (CVE-2006-0039)

From: Chris Wright
Date: Wed May 17 2006 - 18:13:18 EST

Next message: Chris Wright: "[PATCH 15/22] [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges"
Previous message: Chris Wright: "[PATCH 06/22] [PATCH] fs/compat.c: fix if (a |= b ) typo"
In reply to: Chris Wright: "[PATCH 06/22] [PATCH] fs/compat.c: fix if (a |= b ) typo"
Next in thread: Chris Wright: "[PATCH 15/22] [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.
------------------

Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698

Cc: Solar Designer <solar@xxxxxxxxxxxx>
Cc: Kirill Korotaev <dev@xxxxx>
Cc: Patrick McHardy <kaber@xxxxxxxxx>
(chrisw: rebase of Solar's patch to 2.6.16.16)
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---

net/ipv4/netfilter/arp_tables.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.16.16.orig/net/ipv4/netfilter/arp_tables.c
+++ linux-2.6.16.16/net/ipv4/netfilter/arp_tables.c
@@ -941,7 +941,7 @@ static int do_add_counters(void __user *

write_lock_bh(&t->lock);
private = t->private;
- if (private->number != paddc->num_counters) {
+ if (private->number != tmp.num_counters) {
ret = -EINVAL;
goto unlock_up_free;
}
--- linux-2.6.16.16.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.16.16/net/ipv4/netfilter/ip_tables.c
@@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig

write_lock_bh(&t->lock);
private = t->private;
- if (private->number != paddc->num_counters) {
+ if (private->number != tmp.num_counters) {
ret = -EINVAL;
goto unlock_up_free;
}
--- linux-2.6.16.16.orig/net/ipv6/netfilter/ip6_tables.c
+++ linux-2.6.16.16/net/ipv6/netfilter/ip6_tables.c
@@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig

write_lock_bh(&t->lock);
private = t->private;
- if (private->number != paddc->num_counters) {
+ if (private->number != tmp.num_counters) {
ret = -EINVAL;
goto unlock_up_free;
}

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[PATCH 15/22] [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges"
Previous message: Chris Wright: "[PATCH 06/22] [PATCH] fs/compat.c: fix if (a |= b ) typo"
In reply to: Chris Wright: "[PATCH 06/22] [PATCH] fs/compat.c: fix if (a |= b ) typo"
Next in thread: Chris Wright: "[PATCH 15/22] [PATCH] PCI quirk: VIA IRQ fixup should only run for VIA southbridges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]