CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)

2013-02-24 13:58:12 -05:00 · 2013-02-24 13:58:12 -05:00 · 23479883b7
commit 23479883b7
parent e41bfbe382
2 changed files with 96 additions and 1 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -733,6 +733,9 @@ Patch21247: ath9k_rx_dma_stop_check.patch
 #rhbz 844750
 Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch

+#CVE-2013-1763 rhbz 915052,915057
+Patch21251: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
+
 #rhbz 812111
 Patch21260: alps-v2.patch

@ -1429,6 +1432,9 @@ ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
 #rhbz 812111
 ApplyPatch alps-v2.patch

+#CVE-2013-1763 rhbz 915052,915057
+ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2284,6 +2290,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Sun Feb 24 2013 Josh Boyer <jwboyer@redhat.com>
+- CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)
+
 * Fri Feb 22 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git5.1
 - Linux v3.8-6071-g8b5628a

--- a/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
+++ b/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
@ -0,0 +1,86 @@
+Path: news.gmane.org!not-for-mail
+From: Mathias Krause <minipli@googlemail.com>
+Newsgroups: gmane.linux.network
+Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
+Date: Sat, 23 Feb 2013 12:13:47 +0100
+Lines: 28
+Approved: news@gmane.org
+Message-ID: <1361618028-9024-2-git-send-email-minipli@googlemail.com>
+References: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
+NNTP-Posting-Host: plane.gmane.org
+X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT)
+X-Complaints-To: usenet@ger.gmane.org
+NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC)
+Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+To: "David S. Miller" <davem@davemloft.net>
+Original-X-From: netdev-owner@vger.kernel.org Sat Feb 23 12:14:49 2013
+Return-path: <netdev-owner@vger.kernel.org>
+Envelope-to: linux-netdev-2@plane.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+	by plane.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <netdev-owner@vger.kernel.org>)
+	id 1U9D3z-0003H8-6Z
+	for linux-netdev-2@plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100
+Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+	id S1757811Ab3BWLOQ (ORCPT <rfc822;linux-netdev-2@m.gmane.org>);
+	Sat, 23 Feb 2013 06:14:16 -0500
+Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO
+	mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1757044Ab3BWLOM (ORCPT
+	<rfc822;netdev@vger.kernel.org>); Sat, 23 Feb 2013 06:14:12 -0500
+Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40
+        for <netdev@vger.kernel.org>; Sat, 23 Feb 2013 03:14:11 -0800 (PST)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=googlemail.com; s=20120113;
+        h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
+         :references;
+        bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=;
+        b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK
+         ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo
+         Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY
+         D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8
+         ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM
+         od5Q==
+X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168;
+        Sat, 23 Feb 2013 03:14:11 -0800 (PST)
+Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88])
+        by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09
+        (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
+        Sat, 23 Feb 2013 03:14:10 -0800 (PST)
+X-Mailer: git-send-email 1.7.10.4
+In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
+Original-Sender: netdev-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <netdev.vger.kernel.org>
+X-Mailing-List: netdev@vger.kernel.org
+Xref: news.gmane.org gmane.linux.network:260061
+Archived-At: <http://permalink.gmane.org/gmane.linux.network/260061>
+
+Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+with a family greater or equal then AF_MAX -- the array size of
+sock_diag_handlers[]. The current code does not test for this
+condition therefore is vulnerable to an out-of-bound access opening
+doors for a privilege escalation.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+---
+ net/core/sock_diag.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 602cd63..750f44f 100644
+--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
+@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 	if (nlmsg_len(nlh) < sizeof(*req))
+ 		return -EINVAL;
+ 
+	if (req->sdiag_family >= AF_MAX)
+		return -EINVAL;
+
+ 	hndl = sock_diag_lock_handler(req->sdiag_family);
+ 	if (hndl == NULL)
+ 		err = -ENOENT;
+-- 
+1.7.10.4
+