| From 42eab94fff18cb1091d3501cd284d6bd6cc9c143 Mon Sep 17 00:00:00 2001 |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| Date: Tue, 15 Mar 2011 13:35:21 +0100 |
| Subject: netfilter: arp_tables: fix infoleak to userspace |
| |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| |
| commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream. |
| |
| Structures ipt_replace, compat_ipt_replace, and xt_get_revision are |
| copied from userspace. Fields of these structs that are |
| zero-terminated strings are not checked. When they are used as argument |
| to a format string containing "%s" in request_module(), some sensitive |
| information is leaked to userspace via argument of spawned modprobe |
| process. |
| |
| The first bug was introduced before the git epoch; the second is |
| introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by |
| 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have |
| CAP_NET_ADMIN. |
| |
| Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/ipv4/netfilter/arp_tables.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/ipv4/netfilter/arp_tables.c |
| +++ b/net/ipv4/netfilter/arp_tables.c |
| @@ -1086,6 +1086,7 @@ static int do_replace(struct net *net, v |
| /* overflow check */ |
| if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) |
| return -ENOMEM; |
| + tmp.name[sizeof(tmp.name)-1] = 0; |
| |
| newinfo = xt_alloc_table_info(tmp.size); |
| if (!newinfo) |
| @@ -1508,6 +1509,7 @@ static int compat_do_replace(struct net |
| return -ENOMEM; |
| if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) |
| return -ENOMEM; |
| + tmp.name[sizeof(tmp.name)-1] = 0; |
| |
| newinfo = xt_alloc_table_info(tmp.size); |
| if (!newinfo) |
| @@ -1763,6 +1765,7 @@ static int do_arpt_get_ctl(struct sock * |
| ret = -EFAULT; |
| break; |
| } |
| + rev.name[sizeof(rev.name)-1] = 0; |
| |
| try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name, |
| rev.revision, 1, &ret), |