CVE-2014-2523 netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages (rhbz 1077343 1077350)

2014-03-17 15:35:08 -04:00 · 2014-03-17 15:35:08 -04:00 · d43a0facf4
commit d43a0facf4
parent b949453eff
2 changed files with 74 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -806,6 +806,9 @@ Patch25041: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
 #rhbz 1046495
 Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch

+#CVE-2014-2523 rhbz 1077343 1077350
+Patch25045: netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1558,6 +1561,9 @@ ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
 #rhbz 1046495
 ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch

+#CVE-2014-2523 rhbz 1077343 1077350
+ApplyPatch netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2370,6 +2376,9 @@ fi
 # and build.

 %changelog
+* Mon Mar 17 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-2523 netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages (rhbz 1077343 1077350)
+
 * Wed Mar 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - Fix locking issue in iwldvm (rhbz 1046495)

--- a/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
+++ b/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch
@ -0,0 +1,65 @@
+Bugzilla: 1077350
+Upstream-status: 3.14-rc1
+
+From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon, 6 Jan 2014 00:57:54 +0100
+Subject: [PATCH] netfilter: nf_conntrack_dccp: fix skb_header_pointer API
+ usages
+
+Some occurences in the netfilter tree use skb_header_pointer() in
+the following way ...
+
+  struct dccp_hdr _dh, *dh;
+  ...
+  skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+
+... where dh itself is a pointer that is being passed as the copy
+buffer. Instead, we need to use &_dh as the forth argument so that
+we're copying the data into an actual buffer that sits on the stack.
+
+Currently, we probably could overwrite memory on the stack (e.g.
+with a possibly mal-formed DCCP packet), but unintentionally, as
+we only want the buffer to be placed into _dh variable.
+
+Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
+index 3841268..cb372f9 100644
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
+ 	const char *msg;
+ 	u_int8_t state;
+ 
+-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+ 	BUG_ON(dh == NULL);
+ 
+ 	state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
+@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
+ 	u_int8_t type, old_state, new_state;
+ 	enum ct_dccp_roles role;
+ 
+-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+ 	BUG_ON(dh == NULL);
+ 	type = dh->dccph_type;
+ 
+@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
+ 	unsigned int cscov;
+ 	const char *msg;
+ 
+-	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
+	dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
+ 	if (dh == NULL) {
+ 		msg = "nf_ct_dccp: short packet ";
+ 		goto out_invalid;
+-- 
+1.8.5.3
+