[kernel/f14/master] fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880)

Kyle McMartin kyle at fedoraproject.org
Tue Nov 23 16:18:07 UTC 2010 

commit c86d4707a6dc06c36b1577fbc98b7e58d55b7530
Author: Kyle McMartin <kyle at mcmartin.ca>
Date:   Tue Nov 23 11:12:31 2010 -0500

    fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880)

 ...-sure-we-run-the-same-bytecode-we-audited.patch |  105 ++++++++++++++++++++
 kernel.spec                                        |    6 +
 2 files changed, 111 insertions(+), 0 deletions(-)
---
diff --git a/inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch b/inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
new file mode 100644
index 0000000..355b5c6
--- /dev/null
+++ b/inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
@@ -0,0 +1,105 @@
+From 56e0d4414e5eeacd9eaf68ce93dcb80f9c62bfb4 Mon Sep 17 00:00:00 2001
+From: Nelson Elhage <nelhage at ksplice.com>
+Date: Wed, 3 Nov 2010 16:35:41 +0000
+Subject: inet_diag: Make sure we actually run the same bytecode we audited.
+
+We were using nlmsg_find_attr() to look up the bytecode by attribute when
+auditing, but then just using the first attribute when actually running
+bytecode. So, if we received a message with two attribute elements, where only
+the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
+bytecode strings.
+
+Fix this by consistently using nlmsg_find_attr everywhere.
+
+Signed-off-by: Nelson Elhage <nelhage at ksplice.com>
+Signed-off-by: Thomas Graf <tgraf at infradead.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/inet_diag.c |   27 ++++++++++++++++-----------
+ 1 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index e5fa2dd..7403b9b 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -490,9 +490,11 @@ static int inet_csk_diag_dump(struct sock *sk,
+ {
+ 	struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ 
+-	if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++	if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ 		struct inet_diag_entry entry;
+-		struct rtattr *bc = (struct rtattr *)(r + 1);
++		const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++							  sizeof(*r),
++							  INET_DIAG_REQ_BYTECODE);
+ 		struct inet_sock *inet = inet_sk(sk);
+ 
+ 		entry.family = sk->sk_family;
+@@ -512,7 +514,7 @@ static int inet_csk_diag_dump(struct sock *sk,
+ 		entry.dport = ntohs(inet->inet_dport);
+ 		entry.userlocks = sk->sk_userlocks;
+ 
+-		if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++		if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ 			return 0;
+ 	}
+ 
+@@ -527,9 +529,11 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ {
+ 	struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ 
+-	if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
++	if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
+ 		struct inet_diag_entry entry;
+-		struct rtattr *bc = (struct rtattr *)(r + 1);
++		const struct nlattr *bc = nlmsg_find_attr(cb->nlh,
++							  sizeof(*r),
++							  INET_DIAG_REQ_BYTECODE);
+ 
+ 		entry.family = tw->tw_family;
+ #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+@@ -548,7 +552,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
+ 		entry.dport = ntohs(tw->tw_dport);
+ 		entry.userlocks = 0;
+ 
+-		if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry))
++		if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry))
+ 			return 0;
+ 	}
+ 
+@@ -618,7 +622,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ 	struct inet_diag_req *r = NLMSG_DATA(cb->nlh);
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct listen_sock *lopt;
+-	struct rtattr *bc = NULL;
++	const struct nlattr *bc = NULL;
+ 	struct inet_sock *inet = inet_sk(sk);
+ 	int j, s_j;
+ 	int reqnum, s_reqnum;
+@@ -638,8 +642,9 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ 	if (!lopt || !lopt->qlen)
+ 		goto out;
+ 
+-	if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) {
+-		bc = (struct rtattr *)(r + 1);
++	if (nlmsg_attrlen(cb->nlh, sizeof(*r))) {
++		bc = nlmsg_find_attr(cb->nlh, sizeof(*r),
++				     INET_DIAG_REQ_BYTECODE);
+ 		entry.sport = inet->inet_num;
+ 		entry.userlocks = sk->sk_userlocks;
+ 	}
+@@ -672,8 +677,8 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk,
+ 					&ireq->rmt_addr;
+ 				entry.dport = ntohs(ireq->rmt_port);
+ 
+-				if (!inet_diag_bc_run(RTA_DATA(bc),
+-						    RTA_PAYLOAD(bc), &entry))
++				if (!inet_diag_bc_run(nla_data(bc),
++						      nla_len(bc), &entry))
+ 					continue;
+ 			}
+ 
+-- 
+1.7.3.2
+
diff --git a/kernel.spec b/kernel.spec
index 2fcc407..c803bd6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -780,6 +780,8 @@ Patch13652: fix-i8k-inline-asm.patch
 Patch13700: ipc-zero-struct-memory-for-compat-fns.patch
 Patch13701: ipc-shm-fix-information-leak-to-user.patch
 
+Patch13702: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1460,6 +1462,9 @@ ApplyPatch ipc-zero-struct-memory-for-compat-fns.patch
 # rhbz#648656 (CVE-2010-4072)
 ApplyPatch ipc-shm-fix-information-leak-to-user.patch
 
+# rhbz#651264 (CVE-2010-3880)
+ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2049,6 +2054,7 @@ fi
 * Tue Nov 23 2010 Kyle McMartin <kyle at redhat.com>
 - zero struct memory in ipc compat (CVE-2010-4073) (#648658)
 - zero struct memory in ipc shm (CVE-2010-4072) (#648656)
+- fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880) (#651264)
 
 * Tue Nov 23 2010 Kyle McMartin <kyle at redhat.com>
 - fix-i8k-inline-asm.patch: backport gcc miscompilation fix from git

More information about the scm-commits mailing list