releases/3.6.11/inet_diag-validate-port-comparison-byte-code-to-prevent-unsafe-reads.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From cd82550381feeb004a3afddffcf9f911763f051a Mon Sep 17 00:00:00 2001
 From: Neal Cardwell <ncardwell@google.com>
 Date: Sun, 9 Dec 2012 11:09:54 +0000
 Subject: inet_diag: validate port comparison byte code to prevent unsafe reads


 From: Neal Cardwell <ncardwell@google.com>

 [ Upstream commit 5e1f54201cb481f40a04bc47e1bc8c093a189e23 ]

 Add logic to verify that a port comparison byte code operation
 actually has the second inet_diag_bc_op from which we read the port
 for such operations.

 Previously the code blindly referenced op[1] without first checking
 whether a second inet_diag_bc_op struct could fit there. So a
 malicious user could make the kernel read 4 bytes beyond the end of
 the bytecode array by claiming to have a whole port comparison byte
 code (2 inet_diag_bc_op structs) when in fact the bytecode was not
 long enough to hold both.

 Signed-off-by: Neal Cardwell <ncardwell@google.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/ipv4/inet_diag.c |   31 ++++++++++++++++++++++++-------
  1 file changed, 24 insertions(+), 7 deletions(-)

 --- a/net/ipv4/inet_diag.c
 +++ b/net/ipv4/inet_diag.c
 @@ -552,6 +552,17 @@ static bool valid_hostcond(const struct
  	return true;
  }

 +/* Validate a port comparison operator. */
 +static inline bool valid_port_comparison(const struct inet_diag_bc_op *op,
 +					 int len, int *min_len)
 +{
 +	/* Port comparisons put the port in a follow-on inet_diag_bc_op. */
 +	*min_len += sizeof(struct inet_diag_bc_op);
 +	if (len < *min_len)
 +		return false;
 +	return true;
 +}
 +
  static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
  {
  	const void *bc = bytecode;
 @@ -567,24 +578,30 @@ static int inet_diag_bc_audit(const void
  		case INET_DIAG_BC_D_COND:
  			if (!valid_hostcond(bc, len, &min_len))
  				return -EINVAL;
 -			/* fall through */
 -		case INET_DIAG_BC_AUTO:
 +			break;
  		case INET_DIAG_BC_S_GE:
  		case INET_DIAG_BC_S_LE:
  		case INET_DIAG_BC_D_GE:
  		case INET_DIAG_BC_D_LE:
 -		case INET_DIAG_BC_JMP:
 -			if (op->no < min_len || op->no > len + 4 || op->no & 3)
 -				return -EINVAL;
 -			if (op->no < len &&
 -			    !valid_cc(bytecode, bytecode_len, len - op->no))
 +			if (!valid_port_comparison(bc, len, &min_len))
  				return -EINVAL;
  			break;
 +		case INET_DIAG_BC_AUTO:
 +		case INET_DIAG_BC_JMP:
  		case INET_DIAG_BC_NOP:
  			break;
  		default:
  			return -EINVAL;
  		}
 +
 +		if (op->code != INET_DIAG_BC_NOP) {
 +			if (op->no < min_len || op->no > len + 4 || op->no & 3)
 +				return -EINVAL;
 +			if (op->no < len &&
 +			    !valid_cc(bytecode, bytecode_len, len - op->no))
 +				return -EINVAL;
 +		}
 +
  		if (op->yes < min_len || op->yes > len + 4 || op->yes & 3)
  			return -EINVAL;
  		bc  += op->yes;
	From cd82550381feeb004a3afddffcf9f911763f051a Mon Sep 17 00:00:00 2001
	From: Neal Cardwell <ncardwell@google.com>
	Date: Sun, 9 Dec 2012 11:09:54 +0000
	Subject: inet_diag: validate port comparison byte code to prevent unsafe reads


	From: Neal Cardwell <ncardwell@google.com>

	[ Upstream commit 5e1f54201cb481f40a04bc47e1bc8c093a189e23 ]

	Add logic to verify that a port comparison byte code operation
	actually has the second inet_diag_bc_op from which we read the port
	for such operations.

	Previously the code blindly referenced op[1] without first checking
	whether a second inet_diag_bc_op struct could fit there. So a
	malicious user could make the kernel read 4 bytes beyond the end of
	the bytecode array by claiming to have a whole port comparison byte
	code (2 inet_diag_bc_op structs) when in fact the bytecode was not
	long enough to hold both.

	Signed-off-by: Neal Cardwell <ncardwell@google.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/ipv4/inet_diag.c \| 31 ++++++++++++++++++++++++-------
	1 file changed, 24 insertions(+), 7 deletions(-)

	--- a/net/ipv4/inet_diag.c
	+++ b/net/ipv4/inet_diag.c
	@@ -552,6 +552,17 @@ static bool valid_hostcond(const struct
	return true;
	}

	+/* Validate a port comparison operator. */
	+static inline bool valid_port_comparison(const struct inet_diag_bc_op *op,
	+ int len, int *min_len)
	+{
	+ /* Port comparisons put the port in a follow-on inet_diag_bc_op. */
	+ *min_len += sizeof(struct inet_diag_bc_op);
	+ if (len < *min_len)
	+ return false;
	+ return true;
	+}
	+
	static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
	{
	const void *bc = bytecode;
	@@ -567,24 +578,30 @@ static int inet_diag_bc_audit(const void
	case INET_DIAG_BC_D_COND:
	if (!valid_hostcond(bc, len, &min_len))
	return -EINVAL;
	- /* fall through */
	- case INET_DIAG_BC_AUTO:
	+ break;
	case INET_DIAG_BC_S_GE:
	case INET_DIAG_BC_S_LE:
	case INET_DIAG_BC_D_GE:
	case INET_DIAG_BC_D_LE:
	- case INET_DIAG_BC_JMP:
	- if (op->no < min_len \|\| op->no > len + 4 \|\| op->no & 3)
	- return -EINVAL;
	- if (op->no < len &&
	- !valid_cc(bytecode, bytecode_len, len - op->no))
	+ if (!valid_port_comparison(bc, len, &min_len))
	return -EINVAL;
	break;
	+ case INET_DIAG_BC_AUTO:
	+ case INET_DIAG_BC_JMP:
	case INET_DIAG_BC_NOP:
	break;
	default:
	return -EINVAL;
	}
	+
	+ if (op->code != INET_DIAG_BC_NOP) {
	+ if (op->no < min_len \|\| op->no > len + 4 \|\| op->no & 3)
	+ return -EINVAL;
	+ if (op->no < len &&
	+ !valid_cc(bytecode, bytecode_len, len - op->no))
	+ return -EINVAL;
	+ }
	+
	if (op->yes < min_len \|\| op->yes > len + 4 \|\| op->yes & 3)
	return -EINVAL;
	bc += op->yes;