Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   filter: make sure filters dont read uninitialized memory, CVE-2010-4158 (http://www.linux-archive.org/ubuntu-kernel-team/491332-filter-make-sure-filters-dont-read-uninitialized-memory-cve-2010-4158-a.html)

John Johansen 02-18-2011 09:00 PM

filter: make sure filters dont read uninitialized memory, CVE-2010-4158
 
On 02/18/2011 08:41 AM, Stefan Bader wrote:
> From: David S. Miller <davem@davemloft.net>
>
> CVE-2010-4158
> BugLink: http://bugs.launchpad.net/bugs/721282
>
> There is a possibility malicious users can get limited information about
> uninitialized stack mem array. Even if sk_run_filter() result is bound
> to packet length (0 .. 65535), we could imagine this can be used by
> hostile user.
>
> Initializing mem[] array, like Dan Rosenberg suggested in his patch is
> expensive since most filters dont even use this array.
>
> Its hard to make the filter validation in sk_chk_filter(), because of
> the jumps. This might be done later.
>
> In this patch, I use a bitmap (a single long var) so that only filters
> using mem[] loads/stores pay the price of added security checks.
>
> For other filters, additional cost is a single instruction.
>
> [ Since we access fentry->k a lot now, cache it in a local variable
> and mark filter entry pointer as const. -DaveM ]
>
> Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> (backported from commit 57fe93b374a6b8711995c2d466c502af9f3a08bb upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 07:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.