[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1297680875-11663-1-git-send-email-segoon@openwall.com>
Date: Mon, 14 Feb 2011 13:54:35 +0300
From: Vasiliy Kulikov <segoon@...nwall.com>
To: linux-kernel@...r.kernel.org
Cc: security@...nel.org,
Bart De Schuymer <bart.de.schuymer@...dora.be>,
Patrick McHardy <kaber@...sh.net>,
Stephen Hemminger <shemminger@...ux-foundation.org>,
"David S. Miller" <davem@...emloft.net>,
ebtables-user@...ts.sourceforge.net,
ebtables-devel@...ts.sourceforge.net,
netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org,
coreteam@...filter.org, bridge@...ts.linux-foundation.org,
netdev@...r.kernel.org
Subject: [PATCH] bridge: netfilter: fix information leak
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>
---
Compile tested.
net/bridge/netfilter/ebtables.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825d..1ea820b 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
+
countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo)
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists