CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)
This commit is contained in:
parent
e41bfbe382
commit
23479883b7
11
kernel.spec
11
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||||||
# For non-released -rc kernels, this will be appended after the rcX and
|
# For non-released -rc kernels, this will be appended after the rcX and
|
||||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||||
#
|
#
|
||||||
%global baserelease 1
|
%global baserelease 2
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
@ -733,6 +733,9 @@ Patch21247: ath9k_rx_dma_stop_check.patch
|
|||||||
#rhbz 844750
|
#rhbz 844750
|
||||||
Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
|
Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
|
||||||
|
|
||||||
|
#CVE-2013-1763 rhbz 915052,915057
|
||||||
|
Patch21251: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
|
||||||
|
|
||||||
#rhbz 812111
|
#rhbz 812111
|
||||||
Patch21260: alps-v2.patch
|
Patch21260: alps-v2.patch
|
||||||
|
|
||||||
@ -1429,6 +1432,9 @@ ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
|
|||||||
#rhbz 812111
|
#rhbz 812111
|
||||||
ApplyPatch alps-v2.patch
|
ApplyPatch alps-v2.patch
|
||||||
|
|
||||||
|
#CVE-2013-1763 rhbz 915052,915057
|
||||||
|
ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2284,6 +2290,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Feb 24 2013 Josh Boyer <jwboyer@redhat.com>
|
||||||
|
- CVE-2013-1763 sock_diag: out-of-bounds access to sock_diag_handlers (rhbz 915052,915057)
|
||||||
|
|
||||||
* Fri Feb 22 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git5.1
|
* Fri Feb 22 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc0.git5.1
|
||||||
- Linux v3.8-6071-g8b5628a
|
- Linux v3.8-6071-g8b5628a
|
||||||
|
|
||||||
|
@ -0,0 +1,86 @@
|
|||||||
|
Path: news.gmane.org!not-for-mail
|
||||||
|
From: Mathias Krause <minipli@googlemail.com>
|
||||||
|
Newsgroups: gmane.linux.network
|
||||||
|
Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
|
||||||
|
Date: Sat, 23 Feb 2013 12:13:47 +0100
|
||||||
|
Lines: 28
|
||||||
|
Approved: news@gmane.org
|
||||||
|
Message-ID: <1361618028-9024-2-git-send-email-minipli@googlemail.com>
|
||||||
|
References: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
|
||||||
|
NNTP-Posting-Host: plane.gmane.org
|
||||||
|
X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT)
|
||||||
|
X-Complaints-To: usenet@ger.gmane.org
|
||||||
|
NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC)
|
||||||
|
Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
|
||||||
|
To: "David S. Miller" <davem@davemloft.net>
|
||||||
|
Original-X-From: netdev-owner@vger.kernel.org Sat Feb 23 12:14:49 2013
|
||||||
|
Return-path: <netdev-owner@vger.kernel.org>
|
||||||
|
Envelope-to: linux-netdev-2@plane.gmane.org
|
||||||
|
Original-Received: from vger.kernel.org ([209.132.180.67])
|
||||||
|
by plane.gmane.org with esmtp (Exim 4.69)
|
||||||
|
(envelope-from <netdev-owner@vger.kernel.org>)
|
||||||
|
id 1U9D3z-0003H8-6Z
|
||||||
|
for linux-netdev-2@plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100
|
||||||
|
Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||||
|
id S1757811Ab3BWLOQ (ORCPT <rfc822;linux-netdev-2@m.gmane.org>);
|
||||||
|
Sat, 23 Feb 2013 06:14:16 -0500
|
||||||
|
Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO
|
||||||
|
mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||||
|
with ESMTP id S1757044Ab3BWLOM (ORCPT
|
||||||
|
<rfc822;netdev@vger.kernel.org>); Sat, 23 Feb 2013 06:14:12 -0500
|
||||||
|
Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40
|
||||||
|
for <netdev@vger.kernel.org>; Sat, 23 Feb 2013 03:14:11 -0800 (PST)
|
||||||
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
|
||||||
|
d=googlemail.com; s=20120113;
|
||||||
|
h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
|
||||||
|
:references;
|
||||||
|
bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=;
|
||||||
|
b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK
|
||||||
|
ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo
|
||||||
|
Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY
|
||||||
|
D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8
|
||||||
|
ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM
|
||||||
|
od5Q==
|
||||||
|
X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168;
|
||||||
|
Sat, 23 Feb 2013 03:14:11 -0800 (PST)
|
||||||
|
Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88])
|
||||||
|
by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09
|
||||||
|
(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
|
||||||
|
Sat, 23 Feb 2013 03:14:10 -0800 (PST)
|
||||||
|
X-Mailer: git-send-email 1.7.10.4
|
||||||
|
In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
|
||||||
|
Original-Sender: netdev-owner@vger.kernel.org
|
||||||
|
Precedence: bulk
|
||||||
|
List-ID: <netdev.vger.kernel.org>
|
||||||
|
X-Mailing-List: netdev@vger.kernel.org
|
||||||
|
Xref: news.gmane.org gmane.linux.network:260061
|
||||||
|
Archived-At: <http://permalink.gmane.org/gmane.linux.network/260061>
|
||||||
|
|
||||||
|
Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
|
||||||
|
with a family greater or equal then AF_MAX -- the array size of
|
||||||
|
sock_diag_handlers[]. The current code does not test for this
|
||||||
|
condition therefore is vulnerable to an out-of-bound access opening
|
||||||
|
doors for a privilege escalation.
|
||||||
|
|
||||||
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||||
|
---
|
||||||
|
net/core/sock_diag.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
|
||||||
|
index 602cd63..750f44f 100644
|
||||||
|
--- a/net/core/sock_diag.c
|
||||||
|
+++ b/net/core/sock_diag.c
|
||||||
|
@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||||
|
if (nlmsg_len(nlh) < sizeof(*req))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
+ if (req->sdiag_family >= AF_MAX)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
hndl = sock_diag_lock_handler(req->sdiag_family);
|
||||||
|
if (hndl == NULL)
|
||||||
|
err = -ENOENT;
|
||||||
|
--
|
||||||
|
1.7.10.4
|
||||||
|
|
Loading…
Reference in New Issue
Block a user