releases/3.2.42/tools-hv-netlink-source-address-validation-allows-dos.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Tomas Hozza <thozza@redhat.com>
 Date: Thu, 8 Nov 2012 10:53:29 +0100
 Subject: tools: hv: Netlink source address validation allows DoS

 commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream.

 The source code without this patch caused hypervkvpd to exit when it processed
 a spoofed Netlink packet which has been sent from an untrusted local user.
 Now Netlink messages with a non-zero nl_pid source address are ignored
 and a warning is printed into the syslog.

 Signed-off-by: Tomas Hozza <thozza@redhat.com>
 Acked-by:  K. Y. Srinivasan <kys@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  tools/hv/hv_kvp_daemon.c |    8 +++++++-
  1 file changed, 7 insertions(+), 1 deletion(-)

 --- a/tools/hv/hv_kvp_daemon.c
 +++ b/tools/hv/hv_kvp_daemon.c
 @@ -393,13 +393,19 @@ int main(void)
  		len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
  				addr_p, &addr_l);

 -		if (len < 0 || addr.nl_pid) {
 +		if (len < 0) {
  			syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
  					addr.nl_pid, errno, strerror(errno));
  			close(fd);
  			return -1;
  		}

 +		if (addr.nl_pid) {
 +			syslog(LOG_WARNING, "Received packet from untrusted pid:%u",
 +					addr.nl_pid);
 +			continue;
 +		}
 +
  		incoming_msg = (struct nlmsghdr *)kvp_recv_buffer;
  		incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg);
	From: Tomas Hozza <thozza@redhat.com>
	Date: Thu, 8 Nov 2012 10:53:29 +0100
	Subject: tools: hv: Netlink source address validation allows DoS

	commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream.

	The source code without this patch caused hypervkvpd to exit when it processed
	a spoofed Netlink packet which has been sent from an untrusted local user.
	Now Netlink messages with a non-zero nl_pid source address are ignored
	and a warning is printed into the syslog.

	Signed-off-by: Tomas Hozza <thozza@redhat.com>
	Acked-by: K. Y. Srinivasan <kys@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	tools/hv/hv_kvp_daemon.c \| 8 +++++++-
	1 file changed, 7 insertions(+), 1 deletion(-)

	--- a/tools/hv/hv_kvp_daemon.c
	+++ b/tools/hv/hv_kvp_daemon.c
	@@ -393,13 +393,19 @@ int main(void)
	len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
	addr_p, &addr_l);

	- if (len < 0 \|\| addr.nl_pid) {
	+ if (len < 0) {
	syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
	addr.nl_pid, errno, strerror(errno));
	close(fd);
	return -1;
	}

	+ if (addr.nl_pid) {
	+ syslog(LOG_WARNING, "Received packet from untrusted pid:%u",
	+ addr.nl_pid);
	+ continue;
	+ }
	+
	incoming_msg = (struct nlmsghdr *)kvp_recv_buffer;
	incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg);