Florian Weimer
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [linux-2.6] Fix signedness issues in net/core/filter.c
> On Tue, Oct 25, 2005 at 05:35:19PM +0200, Florian Weimer wrote: >> Is the issue described below already on your radar screen? I couldn''t >> find it in the relevant files. AFAICT, no CVE name has been assigned. > > Its the first I''ve seen of it, but that doesn''t mean much. > Which GIT tree is the commit from, I checked Linus'' 2.6 and it > doesn''t seem to be there. Alternatively, is there a mailing list > discussion you can point me to?It seems to be in Linus'' tree. Note that it is not actually recent. <http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=55820ee2f8c767a2833b21bd365e5753f50bd8ce> There hasn''t been a real discussion. I was alerted to this commit by Herbert Xu''s message: From: Herbert Xu <herbert@gondor.apana.org.au> Subject: Re: [CHECKER] buffer overflows in net/core/filter.c? To: engler@csl.stanford.edu Cc: linux-kernel@vger.kernel.org, engler@cs.stanford.edu, jschlst@samba.org, mc@cs.stanford.edu, kaber@trash.net Date: Sun, 16 Oct 2005 21:55:48 +1000 Organization: Core Message-Id: <E1ER77E-0002N0-00@gondolin.me.apana.org.au> I found another message referencing this problem. From: Chris Wright <chrisw@osdl.org> Subject: [05/13] [NET]: Fix signedness issues in net/core/filter.c To: linux-kernel@vger.kernel.org, stable@kernel.org Cc: Justin Forbes <jmforbes@linuxtx.org>, Zwane Mwaikambo <zwane@arm.linux.org.uk>, "Theodore Ts''o" <tytso@mit.edu>, Randy Dunlap <rdunlap@xenotime.net>, Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk, Patrick McHardy <kaber@trash.net> Date: Tue, 2 Aug 2005 23:53:48 -0700 Message-ID: <20050803065348.GT7762@shell0.pdx.osdl.net> Enyo-Status: sender=12.107.209.244 asn=22753 hflags= mflags=k This one suggests it was part of 12.6.2.4. Indeed, there seems to be this change: <http://www.kernel.org/git/?p=linux/kernel/git/chrisw/linux-2.6.12.y.git;a=commit;h=4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e>
Horms
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [linux-2.6] Fix signedness issues in net/core/filter.c
On Tue, Oct 25, 2005 at 05:35:19PM +0200, Florian Weimer wrote:> Is the issue described below already on your radar screen? I couldn''t > find it in the relevant files. AFAICT, no CVE name has been assigned.Its the first I''ve seen of it, but that doesn''t mean much. Which GIT tree is the commit from, I checked Linus'' 2.6 and it doesn''t seem to be there. Alternatively, is there a mailing list discussion you can point me to? I just came back from holidays in Korea with Dave Miller wich would explain a) why I am so slow this week and b) perhaps why it hasn''t made it into Linus'' tree. I think he''ll be back on deck next week.> commit 4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e > Author: Patrick McHardy <kaber@trash.net> > Date: Mon Jul 18 06:52:50 2005 +0200 > > [PATCH] Fix signedness issues in net/core/filter.c > > This is the code to load packet data into a register: > > k = fentry->k; > if (k < 0) { > ... > } else { > u32 _tmp, *p; > p = skb_header_pointer(skb, k, 4, &_tmp); > if (p != NULL) { > A = ntohl(*p); > continue; > } > } > > skb_header_pointer checks if the requested data is within the > linear area: > > int hlen = skb_headlen(skb); > > if (offset + len <= hlen) > return skb->data + offset; > > When offset is within [INT_MAX-len+1..INT_MAX] the addition will > result in a negative number which is <= hlen. > > I couldn''t trigger a crash on my AMD64 with 2GB of memory, but a > coworker tried on his x86 machine and it crashed immediately. > > This patch fixes the check in skb_header_pointer to handle large > positive offsets similar to skb_copy_bits. Invalid data can still > be accessed using negative offsets (also similar to skb_copy_bits), > anyone using negative offsets needs to verify them himself. > > Thanks to Thomas V?gtle <thomas.voegtle@coreworks.de> for verifying the > problem by crashing his machine and providing me with an Oops. > > Signed-off-by: Patrick McHardy <kaber@trash.net> > Signed-off-by: Chris Wright <chrisw@osdl.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> >-- Horms
Horms
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [linux-2.6] Fix signedness issues in net/core/filter.c
On Wed, Oct 26, 2005 at 08:18:57PM +0200, Florian Weimer wrote:> > On Tue, Oct 25, 2005 at 05:35:19PM +0200, Florian Weimer wrote: > >> Is the issue described below already on your radar screen? I couldn''t > >> find it in the relevant files. AFAICT, no CVE name has been assigned. > > > > Its the first I''ve seen of it, but that doesn''t mean much. > > Which GIT tree is the commit from, I checked Linus'' 2.6 and it > > doesn''t seem to be there. Alternatively, is there a mailing list > > discussion you can point me to? > > It seems to be in Linus'' tree. Note that it is not actually recent. > > <http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=55820ee2f8c767a2833b21bd365e5753f50bd8ce> > > There hasn''t been a real discussion. I was alerted to this commit by > Herbert Xu''s message: > > From: Herbert Xu <herbert@gondor.apana.org.au> > Subject: Re: [CHECKER] buffer overflows in net/core/filter.c? > To: engler@csl.stanford.edu > Cc: linux-kernel@vger.kernel.org, engler@cs.stanford.edu, > jschlst@samba.org, mc@cs.stanford.edu, kaber@trash.net > Date: Sun, 16 Oct 2005 21:55:48 +1000 > Organization: Core > Message-Id: <E1ER77E-0002N0-00@gondolin.me.apana.org.au> > > I found another message referencing this problem. > > From: Chris Wright <chrisw@osdl.org> > Subject: [05/13] [NET]: Fix signedness issues in net/core/filter.c > To: linux-kernel@vger.kernel.org, stable@kernel.org > Cc: Justin Forbes <jmforbes@linuxtx.org>, > Zwane Mwaikambo <zwane@arm.linux.org.uk>, > "Theodore Ts''o" <tytso@mit.edu>, > Randy Dunlap <rdunlap@xenotime.net>, > Chuck Wolber <chuckw@quantumlinux.com>, torvalds@osdl.org, > akpm@osdl.org, alan@lxorguk.ukuu.org.uk, > Patrick McHardy <kaber@trash.net> > Date: Tue, 2 Aug 2005 23:53:48 -0700 > Message-ID: <20050803065348.GT7762@shell0.pdx.osdl.net> > Enyo-Status: sender=12.107.209.244 asn=22753 hflags= mflags=k > > This one suggests it was part of 12.6.2.4. Indeed, there seems to be > this change: > > <http://www.kernel.org/git/?p=linux/kernel/git/chrisw/linux-2.6.12.y.git;a=commit;h=4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e>Thanks, Dann and I went over 2.6.4 and noted out findings at http://lists.debian.org/debian-kernel/2005/08/msg00030.html In a nutshell, it wasn''t in 2.6.8 or 2.4.27. And it was fixed 2.6.12-2. Its probably worth of a CVE, but from Debian persipective, both sarge and etch are clean. -- Horms
Florian Weimer
2006-Mar-13 12:28 UTC
[Secure-testing-team] [linux-2.6] Fix signedness issues in net/core/filter.c
Is the issue described below already on your radar screen? I couldn''t find it in the relevant files. AFAICT, no CVE name has been assigned. commit 4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e Author: Patrick McHardy <kaber@trash.net> Date: Mon Jul 18 06:52:50 2005 +0200 [PATCH] Fix signedness issues in net/core/filter.c This is the code to load packet data into a register: k = fentry->k; if (k < 0) { ... } else { u32 _tmp, *p; p = skb_header_pointer(skb, k, 4, &_tmp); if (p != NULL) { A = ntohl(*p); continue; } } skb_header_pointer checks if the requested data is within the linear area: int hlen = skb_headlen(skb); if (offset + len <= hlen) return skb->data + offset; When offset is within [INT_MAX-len+1..INT_MAX] the addition will result in a negative number which is <= hlen. I couldn''t trigger a crash on my AMD64 with 2GB of memory, but a coworker tried on his x86 machine and it crashed immediately. This patch fixes the check in skb_header_pointer to handle large positive offsets similar to skb_copy_bits. Invalid data can still be accessed using negative offsets (also similar to skb_copy_bits), anyone using negative offsets needs to verify them himself. Thanks to Thomas V?gtle <thomas.voegtle@coreworks.de> for verifying the problem by crashing his machine and providing me with an Oops. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>