From patchwork Thu Mar 10 18:13:46 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasiliy Kulikov X-Patchwork-Id: 86328 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4B8A9B6F11 for ; Fri, 11 Mar 2011 05:14:21 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753962Ab1CJSNz (ORCPT ); Thu, 10 Mar 2011 13:13:55 -0500 Received: from mail-bw0-f46.google.com ([209.85.214.46]:57678 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753210Ab1CJSNx (ORCPT ); Thu, 10 Mar 2011 13:13:53 -0500 Received: by bwz15 with SMTP id 15so2048703bwz.19 for ; Thu, 10 Mar 2011 10:13:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:from:to:cc:subject:date:message-id :x-mailer; bh=7YEC2SY7VhSGrMA8vq+Ju5+o5kjOk9+itMlXNawqK4s=; b=U4w25xUxEf4nlYPMTAa0M5DcHmaDBrAlijAs61f4qzLZP0Es4QvjzLM12cKua35kLo rqs3eM3EoQ0jLPWAs8WDnmPEIFoFk9kDYu3QYIwLnpDkgnLQAl5j8kQX6yKarmKqIcan NwxWv6SdErb0pHPxfLby/3lNK3elib0VK8Epk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:to:cc:subject:date:message-id:x-mailer; b=NYYVoVTGs3R8occbUJx40wl2aFxfz+5YjKZVaajntLLcGE8QlVSVd1H/O89SiqVorh d1FapZBR/T/uxrgjSNsMuEarmk9cB3udYbzUUjf7+MyqDmHfayJ1Chb/og2195roYeXx w6HeOzLv9wMdbWULPkwWz+LZATfaWuXDBwPP0= Received: by 10.204.25.9 with SMTP id x9mr1209322bkb.82.1299780831889; Thu, 10 Mar 2011 10:13:51 -0800 (PST) Received: from localhost (ppp85-140-6-168.pppoe.mtu-net.ru [85.140.6.168]) by mx.google.com with ESMTPS id b6sm2333170bkb.10.2011.03.10.10.13.49 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Mar 2011 10:13:51 -0800 (PST) From: Vasiliy Kulikov To: linux-kernel@vger.kernel.org Cc: security@kernel.org, Patrick McHardy , "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Subject: [PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace Date: Thu, 10 Mar 2011 21:13:46 +0300 Message-Id: <1299780827-344-1-git-send-email-segoon@openwall.com> X-Mailer: git-send-email 1.7.0.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second was introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN. Signed-off-by: Vasiliy Kulikov --- Compile tested. net/ipv6/netfilter/ip6_tables.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 47b7b8d..c9598a9 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1275,6 +1275,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len) /* overflow check */ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); if (!newinfo) @@ -1822,6 +1823,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); if (!newinfo) @@ -2051,6 +2053,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) ret = -EFAULT; break; } + rev.name[sizeof(rev.name)-1] = 0; if (cmd == IP6T_SO_GET_REVISION_TARGET) target = 1;