lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 26 Apr 2011 14:13:11 -0700 (PDT)
From:	Andi Kleen <andi@...stfloor.org>
To:	segoon@...nwall.com, xiaosuo@...il.com, kaber@...sh.net,
	gregkh@...e.de, ak@...ux.intel.com, linux-kernel@...r.kernel.org,
	stable@...nel.org, tim.bird@...sony.com
Subject: [PATCH] [32/106] netfilter: ipt_CLUSTERIP: fix buffer overflow

2.6.35-longterm review patch.  If anyone has any objections, please let me know.

------------------
From: Vasiliy Kulikov <segoon@...nwall.com>

commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.

'buffer' string is copied from userspace.  It is not checked whether it is
zero terminated.  This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>
Acked-by: Changli Gao <xiaosuo@...il.com>
Signed-off-by: Patrick McHardy <kaber@...sh.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
Signed-off-by: Andi Kleen <ak@...ux.intel.com>

---
 net/ipv4/netfilter/ipt_CLUSTERIP.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: linux-2.6.35.y/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.35.y/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -663,8 +663,11 @@ static ssize_t clusterip_proc_write(stru
 	char buffer[PROC_WRITELEN+1];
 	unsigned long nodenum;
 
-	if (copy_from_user(buffer, input, PROC_WRITELEN))
+	if (size > PROC_WRITELEN)
+		return -EIO;
+	if (copy_from_user(buffer, input, size))
 		return -EFAULT;
+	buffer[size] = 0;
 
 	if (*buffer == '+') {
 		nodenum = simple_strtoul(buffer+1, NULL, 10);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ