[kernel] CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052, 915057)

Josh Boyer jwboyer at fedoraproject.org
Sun Feb 24 19:03:20 UTC 2013 

commit 23479883b75c26d9065becfeca340e58d66ae590
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Sun Feb 24 13:58:12 2013 -0500

    CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)

 kernel.spec                                        |   11 +++-
 ...ut-of-bounds-access-to-sock_diag_handlers.patch |   86 ++++++++++++++++++++
 2 files changed, 96 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index f875775..c4c1ee1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -733,6 +733,9 @@ Patch21247: ath9k_rx_dma_stop_check.patch
 #rhbz 844750
 Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
 
+#CVE-2013-1763 rhbz 915052,915057
+Patch21251: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
+
 #rhbz 812111
 Patch21260: alps-v2.patch
 
@@ -1429,6 +1432,9 @@ ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
 #rhbz 812111
 ApplyPatch alps-v2.patch
 
+#CVE-2013-1763 rhbz 915052,915057
+ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2284,6 +2290,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Sun Feb 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)
+
 * Fri Feb 22 2013 Josh Boyer <jwboyer at redhat.com> - 3.9.0-0.rc0.git5.1
 - Linux v3.8-6071-g8b5628a
 
diff --git a/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch b/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
new file mode 100644
index 0000000..7508a76
--- /dev/null
+++ b/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
@@ -0,0 +1,86 @@
+Path: news.gmane.org!not-for-mail
+From: Mathias Krause <minipli at googlemail.com>
+Newsgroups: gmane.linux.network
+Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
+Date: Sat, 23 Feb 2013 12:13:47 +0100
+Lines: 28
+Approved: news at gmane.org
+Message-ID: <1361618028-9024-2-git-send-email-minipli at googlemail.com>
+References: <1361618028-9024-1-git-send-email-minipli at googlemail.com>
+NNTP-Posting-Host: plane.gmane.org
+X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC)
+Cc: netdev at vger.kernel.org, Mathias Krause <minipli at googlemail.com>
+To: "David S. Miller" <davem at davemloft.net>
+Original-X-From: netdev-owner at vger.kernel.org Sat Feb 23 12:14:49 2013
+Return-path: <netdev-owner at vger.kernel.org>
+Envelope-to: linux-netdev-2 at plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+	by plane.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <netdev-owner at vger.kernel.org>)
+	id 1U9D3z-0003H8-6Z
+	for linux-netdev-2 at plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100
+Original-Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
+	id S1757811Ab3BWLOQ (ORCPT <rfc822;linux-netdev-2 at m.gmane.org>);
+	Sat, 23 Feb 2013 06:14:16 -0500
+Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO
+	mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1757044Ab3BWLOM (ORCPT
+	<rfc822;netdev at vger.kernel.org>); Sat, 23 Feb 2013 06:14:12 -0500
+Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40
+        for <netdev at vger.kernel.org>; Sat, 23 Feb 2013 03:14:11 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=googlemail.com; s=20120113;
+        h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
+         :references;
+        bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=;
+        b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK
+         ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo
+         Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY
+         D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8
+         ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM
+         od5Q==
+X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168;
+        Sat, 23 Feb 2013 03:14:11 -0800 (PST)
+Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88])
+        by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09
+        (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
+        Sat, 23 Feb 2013 03:14:10 -0800 (PST)
+X-Mailer: git-send-email 1.7.10.4
+In-Reply-To: <1361618028-9024-1-git-send-email-minipli at googlemail.com>
+Original-Sender: netdev-owner at vger.kernel.org
+Precedence: bulk
+List-ID: <netdev.vger.kernel.org>
+X-Mailing-List: netdev at vger.kernel.org
+Xref: news.gmane.org gmane.linux.network:260061
+Archived-At: <http://permalink.gmane.org/gmane.linux.network/260061>
+
+Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+with a family greater or equal then AF_MAX -- the array size of
+sock_diag_handlers[]. The current code does not test for this
+condition therefore is vulnerable to an out-of-bound access opening
+doors for a privilege escalation.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+---
+ net/core/sock_diag.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 602cd63..750f44f 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 	if (nlmsg_len(nlh) < sizeof(*req))
+ 		return -EINVAL;
+ 
++	if (req->sdiag_family >= AF_MAX)
++		return -EINVAL;
++
+ 	hndl = sock_diag_lock_handler(req->sdiag_family);
+ 	if (hndl == NULL)
+ 		err = -ENOENT;
+-- 
+1.7.10.4
+

More information about the scm-commits mailing list