From 23479883b75c26d9065becfeca340e58d66ae590 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sun, 24 Feb 2013 13:58:12 -0500 Subject: [PATCH] CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057) --- kernel.spec | 11 ++- ...-bounds-access-to-sock_diag_handlers.patch | 86 +++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch diff --git a/kernel.spec b/kernel.spec index f87577522..c4c1ee139 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -733,6 +733,9 @@ Patch21247: ath9k_rx_dma_stop_check.patch #rhbz 844750 Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch +#CVE-2013-1763 rhbz 915052,915057 +Patch21251: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch + #rhbz 812111 Patch21260: alps-v2.patch @@ -1429,6 +1432,9 @@ ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch #rhbz 812111 ApplyPatch alps-v2.patch +#CVE-2013-1763 rhbz 915052,915057 +ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch + # END OF PATCH APPLICATIONS %endif @@ -2284,6 +2290,9 @@ fi # ||----w | # || || %changelog +* Sun Feb 24 2013 Josh Boyer +- CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057) + * Fri Feb 22 2013 Josh Boyer - 3.9.0-0.rc0.git5.1 - Linux v3.8-6071-g8b5628a diff --git a/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch b/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch new file mode 100644 index 000000000..7508a7676 --- /dev/null +++ b/sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch @@ -0,0 +1,86 @@ +Path: news.gmane.org!not-for-mail +From: Mathias Krause +Newsgroups: gmane.linux.network +Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] +Date: Sat, 23 Feb 2013 12:13:47 +0100 +Lines: 28 +Approved: news@gmane.org +Message-ID: <1361618028-9024-2-git-send-email-minipli@googlemail.com> +References: <1361618028-9024-1-git-send-email-minipli@googlemail.com> +NNTP-Posting-Host: plane.gmane.org +X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC) +Cc: netdev@vger.kernel.org, Mathias Krause +To: "David S. Miller" +Original-X-From: netdev-owner@vger.kernel.org Sat Feb 23 12:14:49 2013 +Return-path: +Envelope-to: linux-netdev-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1U9D3z-0003H8-6Z + for linux-netdev-2@plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1757811Ab3BWLOQ (ORCPT ); + Sat, 23 Feb 2013 06:14:16 -0500 +Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO + mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1757044Ab3BWLOM (ORCPT + ); Sat, 23 Feb 2013 06:14:12 -0500 +Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40 + for ; Sat, 23 Feb 2013 03:14:11 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=googlemail.com; s=20120113; + h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to + :references; + bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=; + b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK + ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo + Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY + D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8 + ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM + od5Q== +X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168; + Sat, 23 Feb 2013 03:14:11 -0800 (PST) +Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88]) + by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09 + (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); + Sat, 23 Feb 2013 03:14:10 -0800 (PST) +X-Mailer: git-send-email 1.7.10.4 +In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com> +Original-Sender: netdev-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: netdev@vger.kernel.org +Xref: news.gmane.org gmane.linux.network:260061 +Archived-At: + +Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY +with a family greater or equal then AF_MAX -- the array size of +sock_diag_handlers[]. The current code does not test for this +condition therefore is vulnerable to an out-of-bound access opening +doors for a privilege escalation. + +Signed-off-by: Mathias Krause +--- + net/core/sock_diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c +index 602cd63..750f44f 100644 +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + if (nlmsg_len(nlh) < sizeof(*req)) + return -EINVAL; + ++ if (req->sdiag_family >= AF_MAX) ++ return -EINVAL; ++ + hndl = sock_diag_lock_handler(req->sdiag_family); + if (hndl == NULL) + err = -ENOENT; +-- +1.7.10.4 +