FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 07-07-2011, 09:28 AM
Andy Whitcroft
 
Default netfilter: ipt_CLUSTERIP: fix buffer overflow

CVE-2011-2534
Buffer overflow in the clusterip_proc_write function in
net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before
2.6.39 might allow local users to cause a denial of service or
have unspecified other impact via a crafted write operation,
related to string data that lacks a terminating '' character.

This bug has already been fixed via mainline and stable for the latest
releases, or by Paolo for the ARM branches. Hardy is the only release
still affected. Following this email is a patch for Hardy which is a
clean cherry-pick from upstream.

Proposing for SRU to hardy.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-07-2011, 09:28 AM
Andy Whitcroft
 
Default netfilter: ipt_CLUSTERIP: fix buffer overflow

From: Vasiliy Kulikov <segoon@openwall.com>

'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

(cherry picked from commit 961ed183a9fd080cf306c659b8736007e44065a5)
CVE-2011-2534
BugLink: http://bugs.launchpad.net/bugs/801473
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 2f544da..6420953 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -686,8 +686,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
struct clusterip_config *c = pde->data;
unsigned long nodenum;

- if (copy_from_user(buffer, input, PROC_WRITELEN))
+ if (size > PROC_WRITELEN)
+ return -EIO;
+ if (copy_from_user(buffer, input, size))
return -EFAULT;
+ buffer[size] = 0;

if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 04:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org