CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)

This commit is contained in:
Josh Boyer 2013-02-24 13:58:12 -05:00
parent e41bfbe382
commit 23479883b7
2 changed files with 96 additions and 1 deletions

View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and # For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
# #
%global baserelease 1 %global baserelease 2
%global fedora_build %{baserelease} %global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching # base_sublevel is the kernel version we're starting with and patching
@ -733,6 +733,9 @@ Patch21247: ath9k_rx_dma_stop_check.patch
#rhbz 844750 #rhbz 844750
Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
#CVE-2013-1763 rhbz 915052,915057
Patch21251: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
#rhbz 812111 #rhbz 812111
Patch21260: alps-v2.patch Patch21260: alps-v2.patch
@ -1429,6 +1432,9 @@ ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
#rhbz 812111 #rhbz 812111
ApplyPatch alps-v2.patch ApplyPatch alps-v2.patch
#CVE-2013-1763 rhbz 915052,915057
ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
%endif %endif
@ -2284,6 +2290,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Sun Feb 24 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)
* Fri Feb 22 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git5.1 * Fri Feb 22 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git5.1
- Linux v3.8-6071-g8b5628a - Linux v3.8-6071-g8b5628a

View File

@ -0,0 +1,86 @@
Path: news.gmane.org!not-for-mail
From: Mathias Krause <minipli@googlemail.com>
Newsgroups: gmane.linux.network
Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
Date: Sat, 23 Feb 2013 12:13:47 +0100
Lines: 28
Approved: news@gmane.org
Message-ID: <1361618028-9024-2-git-send-email-minipli@googlemail.com>
References: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC)
Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
To: "David S. Miller" <davem@davemloft.net>
Original-X-From: netdev-owner@vger.kernel.org Sat Feb 23 12:14:49 2013
Return-path: <netdev-owner@vger.kernel.org>
Envelope-to: linux-netdev-2@plane.gmane.org
Original-Received: from vger.kernel.org ([209.132.180.67])
by plane.gmane.org with esmtp (Exim 4.69)
(envelope-from <netdev-owner@vger.kernel.org>)
id 1U9D3z-0003H8-6Z
for linux-netdev-2@plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100
Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1757811Ab3BWLOQ (ORCPT <rfc822;linux-netdev-2@m.gmane.org>);
Sat, 23 Feb 2013 06:14:16 -0500
Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO
mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1757044Ab3BWLOM (ORCPT
<rfc822;netdev@vger.kernel.org>); Sat, 23 Feb 2013 06:14:12 -0500
Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40
for <netdev@vger.kernel.org>; Sat, 23 Feb 2013 03:14:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlemail.com; s=20120113;
h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
:references;
bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=;
b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK
ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo
Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY
D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8
ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM
od5Q==
X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168;
Sat, 23 Feb 2013 03:14:11 -0800 (PST)
Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88])
by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09
(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 23 Feb 2013 03:14:10 -0800 (PST)
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
Original-Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
Xref: news.gmane.org gmane.linux.network:260061
Archived-At: <http://permalink.gmane.org/gmane.linux.network/260061>
Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
with a family greater or equal then AF_MAX -- the array size of
sock_diag_handlers[]. The current code does not test for this
condition therefore is vulnerable to an out-of-bound access opening
doors for a privilege escalation.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/core/sock_diag.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 602cd63..750f44f 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (nlmsg_len(nlh) < sizeof(*req))
return -EINVAL;
+ if (req->sdiag_family >= AF_MAX)
+ return -EINVAL;
+
hndl = sock_diag_lock_handler(req->sdiag_family);
if (hndl == NULL)
err = -ENOENT;
--
1.7.10.4