filter: prevent nla extensions to peek beyond the end of the message (CVE-2014-3144, CVE-2014-3145)

svn path=/dists/sid/linux/; revision=21326

debian/changelog

@@ -110,6 +110,8 @@ linux (3.14.4-1) UNRELEASED; urgency=medium
   * drm: Enable auto-loading of ast, udl
   * [ppc64el] Build a linux-libc-dev package (Closes: #747367)
   * net: ipv4: current group_info should be put after using. (CVE-2014-2851)
+  * filter: prevent nla extensions to peek beyond the end of the message
+    (CVE-2014-3144, CVE-2014-3145)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Thu, 01 May 2014 01:50:30 +0100
 

debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch

@@ -0,0 +1,78 @@
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 13 Apr 2014 18:23:33 +0200
+Subject: filter: prevent nla extensions to peek beyond the end of the message
+Origin: https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3
+
+The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
+for a minimal message length before testing the supplied offset to be
+within the bounds of the message. This allows the subtraction of the nla
+header to underflow and therefore -- as the data type is unsigned --
+allowing far to big offset and length values for the search of the
+netlink attribute.
+
+The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
+also wrong. It has the minuend and subtrahend mixed up, therefore
+calculates a huge length value, allowing to overrun the end of the
+message while looking for the netlink attribute.
+
+The following three BPF snippets will trigger the bugs when attached to
+a UNIX datagram socket and parsing a message with length 1, 2 or 3.
+
+ ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
+ | ld	#0x87654321
+ | ldx	#42
+ | ld	#nla
+ | ret	a
+ `---
+
+ ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
+ | ld	#0x87654321
+ | ldx	#42
+ | ld	#nlan
+ | ret	a
+ `---
+
+ ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
+ | ; (needs a fake netlink header at offset 0)
+ | ld	#0
+ | ldx	#42
+ | ld	#nlan
+ | ret	a
+ `---
+
+Fix the first issue by ensuring the message length fulfills the minimal
+size constrains of a nla header. Fix the second bug by getting the math
+for the remainder calculation right.
+
+Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
+Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.14: This code is all in sk_run_filter(), not
+ separate functions]
+---
+ net/core/filter.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -371,11 +371,15 @@ load_b:
+ 
+ 			if (skb_is_nonlinear(skb))
+ 				return 0;
++			if (skb->len < sizeof(struct nlattr))
++				return 0;
++			if (skb->len < sizeof(struct nlattr))
++				return 0;
+ 			if (A > skb->len - sizeof(struct nlattr))
+ 				return 0;
+ 
+ 			nla = (struct nlattr *)&skb->data[A];
+-			if (nla->nla_len > A - skb->len)
++			if (nla->nla_len > skb->len - A)
+ 				return 0;
+ 
+ 			nla = nla_find_nested(nla, X);

debian/patches/series

@@ -83,3 +83,4 @@ features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch
 features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch
 bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch
 bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch
+bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch