[kernel] r6571 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Tue May 16 06:19:59 UTC 2006 

Author: dannf
Date: Tue May 16 06:19:54 2006
New Revision: 6571

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3

Log:
* netfilter-do_replace-overflow.dpatch
  [SECURITY] Fix buffer overflow in netfilter do_replace which can could
  be triggered by users with CAP_NET_ADMIN rights.
  See CVE-2006-0038

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue May 16 06:19:54 2006
@@ -4,8 +4,12 @@
     [SECURITY] Fix potential DoS (panic) cause by inconsistent reference
     counting in network protocol modules.
     See CAN-2005-3359
+  * netfilter-do_replace-overflow.dpatch
+    [SECURITY] Fix buffer overflow in netfilter do_replace which can could
+    be triggered by users with CAP_NET_ADMIN rights.
+    See CVE-2006-0038
 
- -- dann frazier <dannf at debian.org>  Mon, 15 May 2006 18:06:05 -0500
+ -- dann frazier <dannf at debian.org>  Tue, 16 May 2006 01:11:48 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch	Tue May 16 06:19:54 2006
@@ -0,0 +1,96 @@
+From: Kirill Korotaev <dev at openvz.org>
+Date: Sat, 4 Feb 2006 10:16:56 +0000 (-0800)
+Subject: [NETFILTER]: Fix possible overflow in netfilters do_replace()
+X-Git-Tag: v2.6.16-rc3
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168
+
+[NETFILTER]: Fix possible overflow in netfilters do_replace()
+
+netfilter's do_replace() can overflow on addition within SMP_ALIGN()
+and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
+the copy_from_user().  In practice, the overflow on addition is
+triggerable on all systems, whereas the multiplication one might require
+much physical memory to be present due to the check above.  Either is
+sufficient to overwrite arbitrary amounts of kernel memory.
+
+I really hate adding the same check to all 4 versions of do_replace(),
+but the code is duplicate...
+
+Found by Solar Designer during security audit of OpenVZ.org
+
+Signed-Off-By: Kirill Korotaev <dev at openvz.org>
+Signed-Off-By: Solar Designer <solar at openwall.com>
+Signed-off-by: Patrck McHardy <kaber at trash.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.6.8.orig/net/bridge/netfilter/ebtables.c kernel-source-2.6.8/net/bridge/netfilter/ebtables.c
+--- kernel-source-2.6.8.orig/net/bridge/netfilter/ebtables.c	2006-02-08 23:55:59.000000000 -0600
++++ kernel-source-2.6.8/net/bridge/netfilter/ebtables.c	2006-05-16 01:00:10.000000000 -0500
+@@ -925,6 +925,13 @@
+ 		BUGPRINT("Entries_size never zero\n");
+ 		return -EINVAL;
+ 	}
++	/* overflow check */
++	if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
++			SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
++		return -ENOMEM;
++	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
++		return -ENOMEM;
++
+ 	countersize = COUNTER_OFFSET(tmp.nentries) * NR_CPUS;
+ 	newinfo = (struct ebt_table_info *)
+ 	   vmalloc(sizeof(struct ebt_table_info) + countersize);
+diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c
+--- kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c	2004-08-14 00:38:11.000000000 -0500
++++ kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c	2006-05-16 00:57:13.000000000 -0500
+@@ -882,6 +882,13 @@
+ 	if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
+ 		return -ENOMEM;
+ 
++	/* overflow check */
++	if (tmp.size >= (INT_MAX - sizeof(struct arpt_table_info)) / NR_CPUS -
++			SMP_CACHE_BYTES)
++		return -ENOMEM;
++	if (tmp.num_counters >= INT_MAX / sizeof(struct arpt_counters))
++		return -ENOMEM;
++
+ 	newinfo = vmalloc(sizeof(struct arpt_table_info)
+ 			  + SMP_ALIGN(tmp.size) * NR_CPUS);
+ 	if (!newinfo)
+diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c
+--- kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c	2004-08-14 00:36:32.000000000 -0500
++++ kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c	2006-05-16 00:55:13.000000000 -0500
+@@ -1059,6 +1059,13 @@
+ 	if (len != sizeof(tmp) + tmp.size)
+ 		return -ENOPROTOOPT;
+ 
++	/* overflow check */
++	if (tmp.size >= (INT_MAX - sizeof(struct ipt_table_info)) / NR_CPUS -
++			SMP_CACHE_BYTES)
++		return -ENOMEM;
++	if (tmp.num_counters >= INT_MAX / sizeof(struct ipt_counters))
++		return -ENOMEM;
++
+ 	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+ 	if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
+ 		return -ENOMEM;
+diff -urN kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c
+--- kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c	2004-08-14 00:37:40.000000000 -0500
++++ kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c	2006-05-16 01:01:24.000000000 -0500
+@@ -1146,6 +1146,13 @@
+ 	if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
+ 		return -ENOMEM;
+ 
++	/* overflow check */
++	if (tmp.size >= (INT_MAX - sizeof(struct ip6t_table_info)) / NR_CPUS -
++			SMP_CACHE_BYTES)
++		return -ENOMEM;
++	if (tmp.num_counters >= INT_MAX / sizeof(struct ip6t_counters))
++		return -ENOMEM;
++
+ 	newinfo = vmalloc(sizeof(struct ip6t_table_info)
+ 			  + SMP_ALIGN(tmp.size) * NR_CPUS);
+ 	if (!newinfo)

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Tue May 16 06:19:54 2006
@@ -1,2 +1,3 @@
 + net-protocol-mod-refcounts-pre.dpatch
 + net-protocol-mod-refcounts.dpatch
++ netfilter-do_replace-overflow.dpatch

More information about the Kernel-svn-changes mailing list