Vasiliy Kulikov
2011-Feb-14 10:54 UTC
[Bridge] [PATCH] bridge: netfilter: fix information leak
Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon at openwall.com> --- Compile tested. net/bridge/netfilter/ebtables.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5f1825d..1ea820b 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user, if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) return -ENOMEM; + tmp.name[sizeof(tmp.name)-1] = 0; + countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; newinfo = vmalloc(sizeof(*newinfo) + countersize); if (!newinfo) -- 1.7.0.4
Patrick McHardy
2011-Feb-14 15:50 UTC
[Bridge] [PATCH] bridge: netfilter: fix information leak
Am 14.02.2011 11:54, schrieb Vasiliy Kulikov:> Struct tmp is copied from userspace. It is not checked whether the "name" > field is NULL terminated. This may lead to buffer overflow and passing > contents of kernel stack as a module name to try_then_request_module() and, > consequently, to modprobe commandline. It would be seen by all userspace > processes. > > Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>Applied, thanks Vasiliy.