[libcgroup/f13/master] Fixed CVE-2011-1022 and CVE-2011-1006 Resolves: #680412

Jan Šafránek jsafrane at fedoraproject.org
Thu Mar 3 09:12:48 UTC 2011 

commit fd5766d85daf14bfb7e9d4ef16a23209ef5e175f
Author: Jan Safranek <jsafrane at redhat.com>
Date:   Thu Mar 3 10:12:34 2011 +0100

    Fixed CVE-2011-1022 and CVE-2011-1006
    Resolves: #680412

 libcgroup-CVE-2011-1006.patch |   23 +++++++++++++
 libcgroup-CVE-2011-1022.patch |   74 +++++++++++++++++++++++++++++++++++++++++
 libcgroup.spec                |   10 +++++-
 3 files changed, 106 insertions(+), 1 deletions(-)
---
diff --git a/libcgroup-CVE-2011-1006.patch b/libcgroup-CVE-2011-1006.patch
new file mode 100644
index 0000000..247c424
--- /dev/null
+++ b/libcgroup-CVE-2011-1006.patch
@@ -0,0 +1,23 @@
+commit 466b2a3f88ab9604fed5050aa7d81d33f3d3bd0b
+Author: Jan Safranek <jsafrane at redhat.com>
+Date:   Tue Mar 1 12:25:30 2011 +0100
+
+    Fix buffer overflow when processing list of controllers from command line (CVE-2011-1006).
+    
+    Thanks to Nelson Elhage for reporting this issue.
+    
+    Signed-off-by: Jan Safranek <jsafrane at redhat.com>
+
+diff --git a/src/tools/tools-common.c b/src/tools/tools-common.c
+index 4beffcd..7d633be 100644
+--- a/src/tools/tools-common.c
++++ b/src/tools/tools-common.c
+@@ -79,7 +79,7 @@ int parse_cgroup_spec(struct cgroup_group_spec **cdptr, char *optarg,
+ 			}
+ 		}
+ 		j++;
+-	} while (temp);
++	} while (temp && j<CG_CONTROLLER_MAX-1);
+ 
+ 	/* Store path to the cgroup */
+ 	strncpy(cdptr[i]->path, pathptr, FILENAME_MAX);
diff --git a/libcgroup-CVE-2011-1022.patch b/libcgroup-CVE-2011-1022.patch
new file mode 100644
index 0000000..a6579d7
--- /dev/null
+++ b/libcgroup-CVE-2011-1022.patch
@@ -0,0 +1,74 @@
+commit 0a59ea5e0b2ce466bfd35c9e700094bf09a0310d
+Author: Nelson Elhage <nelhage at ksplice.com>
+Date:   Thu Feb 17 20:55:12 2011 -0500
+
+    cgrulesengd: Ignore netlink messages that don't come from the kernel.
+    
+    recvfrom() returns the address, it doesn't filter the packet based on the
+    sender. We need to explicitly check the received address after the call happens.
+    
+    Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+    Signed-off-by: Jan Safranek <jsafrane at redhat.com>
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index 10fd2cd..5a965fd 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -503,17 +503,10 @@ static int cgre_receive_netlink_msg(int sk_nl)
+ 	struct sockaddr_nl from_nla;
+ 	socklen_t from_nla_len;
+ 	struct nlmsghdr *nlh;
+-	struct sockaddr_nl kern_nla;
+ 	struct cn_msg *cn_hdr;
+ 
+-	kern_nla.nl_family = AF_NETLINK;
+-	kern_nla.nl_groups = CN_IDX_PROC;
+-	kern_nla.nl_pid = 1;
+-	kern_nla.nl_pad = 0;
+-
+ 	memset(buff, 0, sizeof(buff));
+ 	from_nla_len = sizeof(from_nla);
+-	memcpy(&from_nla, &kern_nla, sizeof(from_nla));
+ 	recv_len = recvfrom(sk_nl, buff, sizeof(buff), 0,
+ 		(struct sockaddr *)&from_nla, &from_nla_len);
+ 	if (recv_len == ENOBUFS) {
+@@ -523,6 +516,10 @@ static int cgre_receive_netlink_msg(int sk_nl)
+ 	if (recv_len < 1)
+ 		return 0;
+ 
++	if (from_nla.nl_groups != CN_IDX_PROC
++	    || from_nla.nl_pid != 0)
++		return 0;
++
+ 	nlh = (struct nlmsghdr *)buff;
+ 	while (NLMSG_OK(nlh, recv_len)) {
+ 		cn_hdr = NLMSG_DATA(nlh);
+
+commit 4dddc4f71fcf1b60012705c6278458599ac6ddff
+Author: Jan Safranek <jsafrane at redhat.com>
+Date:   Tue Mar 1 12:25:28 2011 +0100
+
+    Check length of netlink addresses.
+    
+    Folow up on CVE-2011-1022, add check for length of address of incoming
+    netlink packet, just to be sure.
+    
+    Pointed out by Steve Grubb.
+    
+    Signed-off-by: Jan Safranek <jsafrane at redhat.com>
+
+diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
+index 5a965fd..590ae6a 100644
+--- a/src/daemon/cgrulesengd.c
++++ b/src/daemon/cgrulesengd.c
+@@ -516,6 +516,10 @@ static int cgre_receive_netlink_msg(int sk_nl)
+ 	if (recv_len < 1)
+ 		return 0;
+ 
++	if (from_nla_len != sizeof(from_nla)) {
++		flog(LOG_ERR, "Bad address size reading netlink socket");
++		return 0;
++	}
+ 	if (from_nla.nl_groups != CN_IDX_PROC
+ 	    || from_nla.nl_pid != 0)
+ 		return 0;
diff --git a/libcgroup.spec b/libcgroup.spec
index 6c4cf72..4d573b4 100644
--- a/libcgroup.spec
+++ b/libcgroup.spec
@@ -4,7 +4,7 @@ Name: libcgroup
 Summary: Tools and libraries to control and monitor control groups
 Group: Development/Libraries
 Version: 0.35.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: LGPLv2+
 URL: http://libcg.sourceforge.net/
 Source0: http://downloads.sourceforge.net/libcg/%{name}-%{version}.tar.bz2
@@ -13,6 +13,9 @@ Patch1: fedora-config.patch
 Patch2: fedora-fix-initscripts.patch
 Patch3: libcgroup-0.36.2-initscripts.patch
 Patch4: fedora-nochdir.patch
+Patch5: libcgroup-CVE-2011-1006.patch
+Patch6: libcgroup-CVE-2011-1022.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: pam-devel
 BuildRequires: byacc
@@ -50,6 +53,8 @@ provide scripts to manage that configuration.
 %patch2 -p1 -b .lsb
 %patch3 -p1 -b .running
 %patch4 -p1 -b .nochdir
+%patch5 -p1
+%patch6 -p1
 
 %build
 %configure --bindir=/bin --sbindir=/sbin --libdir=/%{_lib}
@@ -142,6 +147,9 @@ fi
 
 
 %changelog
+* Thu Mar  3 2011 Jan Safranek <jsafrane at redhat.com> 0.35-5
+- Fixed CVE-2011-1022 and CVE-2011-1006
+
 * Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com> 0.35-4
 - Fix cgconfigparser not to change current working directory (#655210)

More information about the scm-commits mailing list