[kernel/f13/master] CVE-2010-4158 socket filters infoleak
Chuck Ebbert
cebbert at fedoraproject.org
Wed Dec 15 06:19:03 UTC 2010
commit 60a8a27c70083099d65141aa8dbd417b1947d50b
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Wed Dec 15 01:18:23 2010 -0500
CVE-2010-4158 socket filters infoleak
...re-filters-dont-read-uninitialized-memory.patch | 235 ++++++++++++++++++++
kernel.spec | 5 +
2 files changed, 240 insertions(+), 0 deletions(-)
---
diff --git a/filter-make-sure-filters-dont-read-uninitialized-memory.patch b/filter-make-sure-filters-dont-read-uninitialized-memory.patch
new file mode 100644
index 0000000..22d89a9
--- /dev/null
+++ b/filter-make-sure-filters-dont-read-uninitialized-memory.patch
@@ -0,0 +1,235 @@
+From: David S. Miller <davem at davemloft.net>
+Date: Wed, 10 Nov 2010 18:38:24 +0000 (-0800)
+Subject: filter: make sure filters dont read uninitialized memory
+X-Git-Tag: v2.6.37-rc2~20^2~27
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57fe93b374a6b8711995c2d466c502af9f3a08bb
+
+[ trivial backport to 2.6.34 ]
+
+filter: make sure filters dont read uninitialized memory
+
+There is a possibility malicious users can get limited information about
+uninitialized stack mem array. Even if sk_run_filter() result is bound
+to packet length (0 .. 65535), we could imagine this can be used by
+hostile user.
+
+Initializing mem[] array, like Dan Rosenberg suggested in his patch is
+expensive since most filters dont even use this array.
+
+Its hard to make the filter validation in sk_chk_filter(), because of
+the jumps. This might be done later.
+
+In this patch, I use a bitmap (a single long var) so that only filters
+using mem[] loads/stores pay the price of added security checks.
+
+For other filters, additional cost is a single instruction.
+
+[ Since we access fentry->k a lot now, cache it in a local variable
+ and mark filter entry pointer as const. -DaveM ]
+
+Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 7beaec3..23e9b2a 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -112,39 +112,41 @@ EXPORT_SYMBOL(sk_filter);
+ */
+ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
+ {
+- struct sock_filter *fentry; /* We walk down these */
+ void *ptr;
+ u32 A = 0; /* Accumulator */
+ u32 X = 0; /* Index Register */
+ u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
++ unsigned long memvalid = 0;
+ u32 tmp;
+ int k;
+ int pc;
+
++ BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
+ /*
+ * Process array of filter instructions.
+ */
+ for (pc = 0; pc < flen; pc++) {
+- fentry = &filter[pc];
++ const struct sock_filter *fentry = &filter[pc];
++ u32 f_k = fentry->k;
+
+ switch (fentry->code) {
+ case BPF_ALU|BPF_ADD|BPF_X:
+ A += X;
+ continue;
+ case BPF_ALU|BPF_ADD|BPF_K:
+- A += fentry->k;
++ A += f_k;
+ continue;
+ case BPF_ALU|BPF_SUB|BPF_X:
+ A -= X;
+ continue;
+ case BPF_ALU|BPF_SUB|BPF_K:
+- A -= fentry->k;
++ A -= f_k;
+ continue;
+ case BPF_ALU|BPF_MUL|BPF_X:
+ A *= X;
+ continue;
+ case BPF_ALU|BPF_MUL|BPF_K:
+- A *= fentry->k;
++ A *= f_k;
+ continue;
+ case BPF_ALU|BPF_DIV|BPF_X:
+ if (X == 0)
+@@ -152,49 +154,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
+ A /= X;
+ continue;
+ case BPF_ALU|BPF_DIV|BPF_K:
+- A /= fentry->k;
++ A /= f_k;
+ continue;
+ case BPF_ALU|BPF_AND|BPF_X:
+ A &= X;
+ continue;
+ case BPF_ALU|BPF_AND|BPF_K:
+- A &= fentry->k;
++ A &= f_k;
+ continue;
+ case BPF_ALU|BPF_OR|BPF_X:
+ A |= X;
+ continue;
+ case BPF_ALU|BPF_OR|BPF_K:
+- A |= fentry->k;
++ A |= f_k;
+ continue;
+ case BPF_ALU|BPF_LSH|BPF_X:
+ A <<= X;
+ continue;
+ case BPF_ALU|BPF_LSH|BPF_K:
+- A <<= fentry->k;
++ A <<= f_k;
+ continue;
+ case BPF_ALU|BPF_RSH|BPF_X:
+ A >>= X;
+ continue;
+ case BPF_ALU|BPF_RSH|BPF_K:
+- A >>= fentry->k;
++ A >>= f_k;
+ continue;
+ case BPF_ALU|BPF_NEG:
+ A = -A;
+ continue;
+ case BPF_JMP|BPF_JA:
+- pc += fentry->k;
++ pc += f_k;
+ continue;
+ case BPF_JMP|BPF_JGT|BPF_K:
+- pc += (A > fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A > f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JGE|BPF_K:
+- pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A >= f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JEQ|BPF_K:
+- pc += (A == fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A == f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JSET|BPF_K:
+- pc += (A & fentry->k) ? fentry->jt : fentry->jf;
++ pc += (A & f_k) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_JMP|BPF_JGT|BPF_X:
+ pc += (A > X) ? fentry->jt : fentry->jf;
+@@ -209,7 +211,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
+ pc += (A & X) ? fentry->jt : fentry->jf;
+ continue;
+ case BPF_LD|BPF_W|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_w:
+ ptr = load_pointer(skb, k, 4, &tmp);
+ if (ptr != NULL) {
+@@ -218,7 +220,7 @@ load_w:
+ }
+ break;
+ case BPF_LD|BPF_H|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_h:
+ ptr = load_pointer(skb, k, 2, &tmp);
+ if (ptr != NULL) {
+@@ -227,7 +229,7 @@ load_h:
+ }
+ break;
+ case BPF_LD|BPF_B|BPF_ABS:
+- k = fentry->k;
++ k = f_k;
+ load_b:
+ ptr = load_pointer(skb, k, 1, &tmp);
+ if (ptr != NULL) {
+@@ -242,32 +244,34 @@ load_b:
+ X = skb->len;
+ continue;
+ case BPF_LD|BPF_W|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_w;
+ case BPF_LD|BPF_H|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_h;
+ case BPF_LD|BPF_B|BPF_IND:
+- k = X + fentry->k;
++ k = X + f_k;
+ goto load_b;
+ case BPF_LDX|BPF_B|BPF_MSH:
+- ptr = load_pointer(skb, fentry->k, 1, &tmp);
++ ptr = load_pointer(skb, f_k, 1, &tmp);
+ if (ptr != NULL) {
+ X = (*(u8 *)ptr & 0xf) << 2;
+ continue;
+ }
+ return 0;
+ case BPF_LD|BPF_IMM:
+- A = fentry->k;
++ A = f_k;
+ continue;
+ case BPF_LDX|BPF_IMM:
+- X = fentry->k;
++ X = f_k;
+ continue;
+ case BPF_LD|BPF_MEM:
+- A = mem[fentry->k];
++ A = (memvalid & (1UL << f_k)) ?
++ mem[f_k] : 0;
+ continue;
+ case BPF_LDX|BPF_MEM:
+- X = mem[fentry->k];
++ X = (memvalid & (1UL << f_k)) ?
++ mem[f_k] : 0;
+ continue;
+ case BPF_MISC|BPF_TAX:
+ X = A;
+@@ -276,14 +280,16 @@ load_b:
+ A = X;
+ continue;
+ case BPF_RET|BPF_K:
+- return fentry->k;
++ return f_k;
+ case BPF_RET|BPF_A:
+ return A;
+ case BPF_ST:
+- mem[fentry->k] = A;
++ memvalid |= 1UL << f_k;
++ mem[f_k] = A;
+ continue;
+ case BPF_STX:
+- mem[fentry->k] = X;
++ memvalid |= 1UL << f_k;
++ mem[f_k] = X;
+ continue;
+ default:
+ WARN_ON(1);
diff --git a/kernel.spec b/kernel.spec
index b785fcd..33066b5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -900,6 +900,8 @@ Patch13917: af_unix-limit-unix_tot_inflight.patch
Patch13918: scm-lower-SCM-MAX-FD.patch
# CVE-2010-4157
Patch13919: gdth-integer-overflow-in-ioctl.patch
+# CVE-2010-4158
+Patch13920: filter-make-sure-filters-dont-read-uninitialized-memory.patch
%endif
@@ -1724,6 +1726,8 @@ ApplyPatch af_unix-limit-unix_tot_inflight.patch
ApplyPatch scm-lower-SCM-MAX-FD.patch
# CVE-2010-4157
ApplyPatch gdth-integer-overflow-in-ioctl.patch
+# CVE-2010-4158
+ApplyPatch filter-make-sure-filters-dont-read-uninitialized-memory.patch
# END OF PATCH APPLICATIONS
@@ -2348,6 +2352,7 @@ fi
%changelog
* Tue Dec 14 2010 Chuck Ebbert <cebbert at redhat.com>
- CVE-2010-4157 gdth: integer overflow in ioc_general()
+- CVE-2010-4158 socket filters infoleak
* Tue Dec 14 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.34.7-65
- CVE-2010-4162 bio: integer overflow page count when mapping/copying user data
More information about the scm-commits
mailing list