| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 May 2015 13:42:03 +0200 From: Pablo Neira Ayuso <pablo@...filter.org> To: Dave Jones <davej@...emonkey.org.uk> Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, fw@...len.de, David Miller <davem@...emloft.net> Subject: Re: netfilter: ensure number of counters is >0 in do_replace() On Tue, May 19, 2015 at 08:55:17PM -0400, Dave Jones wrote: > After improving setsockopt() coverage in trinity, I started triggering > vmalloc failures pretty reliably from this code path: > > warn_alloc_failed+0xe9/0x140 > __vmalloc_node_range+0x1be/0x270 > vzalloc+0x4b/0x50 > __do_replace+0x52/0x260 [ip_tables] > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] > nf_setsockopt+0x65/0x90 > ip_setsockopt+0x61/0xa0 > raw_setsockopt+0x16/0x60 > sock_common_setsockopt+0x14/0x20 > SyS_setsockopt+0x71/0xd0 > > It turns out we don't validate that the num_counters field in the > struct we pass in from userspace is initialized. > > The same problem also exists in ebtables, arptables, ipv6, and the > compat variants. Applied. This also applies to -stable kernels: 3.2.x 3.4.x 3.10.x 3.12.x 3.14.x 3.18.x 4.0.x so after some testing and a little while, I'll pass this on. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists