[kernel/f19] CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
Josh Boyer
jwboyer at fedoraproject.org
Mon May 12 12:45:44 UTC 2014
commit 9edeb7ba4c483dd156f99c4c91d6f773d7090be0
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon May 12 08:44:41 2014 -0400
CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
...ent-nla-extensions-to-peek-beyond-the-end.patch | 98 ++++++++++++++++++++
kernel.spec | 9 ++
2 files changed, 107 insertions(+), 0 deletions(-)
---
diff --git a/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch b/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
new file mode 100644
index 0000000..1aec648
--- /dev/null
+++ b/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
@@ -0,0 +1,98 @@
+Bugzilla: 1096784
+Upstream-status: 3.15
+
+From 0e1e9b265ec6c9b69ba5443e0d11aaa9a92ded53 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 13 Apr 2014 18:23:33 +0200
+Subject: [PATCH] filter: prevent nla extensions to peek beyond the end of the
+ message
+
+Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3
+
+The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
+for a minimal message length before testing the supplied offset to be
+within the bounds of the message. This allows the subtraction of the nla
+header to underflow and therefore -- as the data type is unsigned --
+allowing far to big offset and length values for the search of the
+netlink attribute.
+
+The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
+also wrong. It has the minuend and subtrahend mixed up, therefore
+calculates a huge length value, allowing to overrun the end of the
+message while looking for the netlink attribute.
+
+The following three BPF snippets will trigger the bugs when attached to
+a UNIX datagram socket and parsing a message with length 1, 2 or 3.
+
+ ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
+ | ld #0x87654321
+ | ldx #42
+ | ld #nla
+ | ret a
+ `---
+
+ ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
+ | ld #0x87654321
+ | ldx #42
+ | ld #nlan
+ | ret a
+ `---
+
+ ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
+ | ; (needs a fake netlink header at offset 0)
+ | ld #0
+ | ldx #42
+ | ld #nlan
+ | ret a
+ `---
+
+Fix the first issue by ensuring the message length fulfills the minimal
+size constrains of a nla header. Fix the second bug by getting the math
+for the remainder calculation right.
+
+Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
+Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
+Cc: Patrick McHardy <kaber at trash.net>
+Cc: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Acked-by: Daniel Borkmann <dborkman at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/core/filter.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index ad30d626a5bd..7be35b5fc22f 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -355,6 +355,10 @@ load_b:
+
+ if (skb_is_nonlinear(skb))
+ return 0;
++
++ if (skb->len < sizeof(struct nlattr))
++ return 0;
++
+ if (A > skb->len - sizeof(struct nlattr))
+ return 0;
+
+@@ -371,11 +375,15 @@ load_b:
+
+ if (skb_is_nonlinear(skb))
+ return 0;
++
++ if (skb->len < sizeof(struct nlattr))
++ return 0;
++
+ if (A > skb->len - sizeof(struct nlattr))
+ return 0;
+
+ nla = (struct nlattr *)&skb->data[A];
+- if (nla->nla_len > A - skb->len)
++ if (nla->nla_len > skb->len - A)
+ return 0;
+
+ nla = nla_find_nested(nla, X);
+--
+1.9.0
+
diff --git a/kernel.spec b/kernel.spec
index 98f75af..ef8217c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -800,6 +800,9 @@ Patch25087: jme-fix-dma-unmap-error.patch
Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
+Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1543,6 +1546,9 @@ ApplyPatch jme-fix-dma-unmap-error.patch
ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
+ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2355,6 +2361,9 @@ fi
# and build.
%changelog
+* Mon May 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
+
* Fri May 09 2014 Josh Boyer <jwboyer at fedoraproject.org>
- CVE-2014-1738 CVE-2014-1737 floppy: priv esclation (rhbz 1094299 1096195)
More information about the scm-commits
mailing list