[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CA+rthh88yDcHSO6bGa18=6ehO=2E50KpDka7LBo9MMPvV0+VSA@mail.gmail.com>
Date: Sat, 23 Feb 2013 20:10:33 +0100
From: Mathias Krause <minipli@...glemail.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
Dave Jones <davej@...hat.com>
Subject: Re: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
On Sat, Feb 23, 2013 at 6:35 PM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> On Sat, 2013-02-23 at 12:13 +0100, Mathias Krause wrote:
>> Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
>> with a family greater or equal then AF_MAX -- the array size of
>> sock_diag_handlers[]. The current code does not test for this
>> condition therefore is vulnerable to an out-of-bound access opening
>> doors for a privilege escalation.
>>
>> Signed-off-by: Mathias Krause <minipli@...glemail.com>
>> ---
>> net/core/sock_diag.c | 3 +++
>> 1 file changed, 3 insertions(+)
>
> Thanks for fixing this.
>
> It seems trinity didnt catch it !
For trinity to catch that one, trinity needs to generate a valid
netlink request on a PF_NETLINK socket with protocol
NETLINK_SOCK_DIAG. Very unlikely. Especially the sanity checks in
netlink_rcv_skb() will probably filter invalid messages before they
reach any interesting code. But if trinity would have support for
generating netlink messages, then, yes, it should probably have found
that bug easily. It's in there for ages, now ;)
>
> Acked-by: Eric Dumazet <edumazet@...gle.com>
>
>
Thanks,
Mathias
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists