lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 14 Dec 2015 16:12:40 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	hannes@...essinduktion.org
Cc:	netdev@...r.kernel.org, cwang@...pensource.com
Subject: Re: [PATCH net v2] net: add validation for the socket syscall
 protocol argument

From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Mon, 14 Dec 2015 22:03:39 +0100

> 郭永刚 reported that one could simply crash the kernel as root by
> using a simple program:
> 
> 	int socket_fd;
> 	struct sockaddr_in addr;
> 	addr.sin_port = 0;
> 	addr.sin_addr.s_addr = INADDR_ANY;
> 	addr.sin_family = 10;
> 
> 	socket_fd = socket(10,3,0x40000000);
> 	connect(socket_fd , &addr,16);
> 
> AF_INET, AF_INET6 sockets actually only support 8-bit protocol
> identifiers. inet_sock's skc_protocol field thus is sized accordingly,
> thus larger protocol identifiers simply cut off the higher bits and
> store a zero in the protocol fields.
> 
> This could lead to e.g. NULL function pointer because as a result of
> the cut off inet_num is zero and we call down to inet_autobind, which
> is NULL for raw sockets.
> 
> kernel: Call Trace:
> kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
> kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
> kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
> kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
> kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
> kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
> kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
> 
> I found no particular commit which introduced this problem.
> 
> CVE: CVE-2015-8543
> Cc: Cong Wang <cwang@...pensource.com>
> Reported-by: 郭永刚 <guoyonggang@....cn>
> Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>

Applied and queued up for -stable, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ