| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 May 2017 18:52:22 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
rgb@...hat.com, fwestpha@...hat.com, pmoore@...hat.com,
pvrabec@...hat.com, davem@...emloft.net,
Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH nf] xtables: zero padding in data_to_user
On Tue, May 09, 2017 at 04:17:37PM -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@...gle.com>
>
> When looking up an iptables rule, the iptables binary compares the
> aligned match and target data (XT_ALIGN). In some cases this can
> exceed the actual data size to include padding bytes.
>
> Before commit f77bc5b23fb1 ("iptables: use match, target and data
> copy_to_user helpers") the malloc()ed bytes were overwritten by the
> kernel with kzalloced contents, zeroing the padding and making the
> comparison succeed. After this patch, the kernel copies and clears
> only data, leaving the padding bytes undefined.
>
> Extend the clear operation from data size to aligned data size to
> include the padding bytes, if any.
>
> Padding bytes can be observed in both match and target, and the bug
> triggered, by issuing a rule with match icmp and target ACCEPT:
>
> iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
> iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
Applied, thanks.
Powered by blists - more mailing lists