diff --git a/debian/changelog b/debian/changelog index a8345b4aa..9eb437aa3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -110,6 +110,8 @@ linux (3.14.4-1) UNRELEASED; urgency=medium * drm: Enable auto-loading of ast, udl * [ppc64el] Build a linux-libc-dev package (Closes: #747367) * net: ipv4: current group_info should be put after using. (CVE-2014-2851) + * filter: prevent nla extensions to peek beyond the end of the message + (CVE-2014-3144, CVE-2014-3145) -- Ben Hutchings Thu, 01 May 2014 01:50:30 +0100 diff --git a/debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch b/debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch new file mode 100644 index 000000000..58224c7e6 --- /dev/null +++ b/debian/patches/bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch @@ -0,0 +1,78 @@ +From: Mathias Krause +Date: Sun, 13 Apr 2014 18:23:33 +0200 +Subject: filter: prevent nla extensions to peek beyond the end of the message +Origin: https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 + +The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check +for a minimal message length before testing the supplied offset to be +within the bounds of the message. This allows the subtraction of the nla +header to underflow and therefore -- as the data type is unsigned -- +allowing far to big offset and length values for the search of the +netlink attribute. + +The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is +also wrong. It has the minuend and subtrahend mixed up, therefore +calculates a huge length value, allowing to overrun the end of the +message while looking for the netlink attribute. + +The following three BPF snippets will trigger the bugs when attached to +a UNIX datagram socket and parsing a message with length 1, 2 or 3. + + ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- + | ld #0x87654321 + | ldx #42 + | ld #nla + | ret a + `--- + + ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- + | ld #0x87654321 + | ldx #42 + | ld #nlan + | ret a + `--- + + ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- + | ; (needs a fake netlink header at offset 0) + | ld #0 + | ldx #42 + | ld #nlan + | ret a + `--- + +Fix the first issue by ensuring the message length fulfills the minimal +size constrains of a nla header. Fix the second bug by getting the math +for the remainder calculation right. + +Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") +Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") +Cc: Patrick McHardy +Cc: Pablo Neira Ayuso +Signed-off-by: Mathias Krause +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +[bwh: Backported to 3.14: This code is all in sk_run_filter(), not + separate functions] +--- + net/core/filter.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -371,11 +371,15 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; + if (A > skb->len - sizeof(struct nlattr)) + return 0; + + nla = (struct nlattr *)&skb->data[A]; +- if (nla->nla_len > A - skb->len) ++ if (nla->nla_len > skb->len - A) + return 0; + + nla = nla_find_nested(nla, X); diff --git a/debian/patches/series b/debian/patches/series index 0feb19619..37ba2d801 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -83,3 +83,4 @@ features/arm/ARM-sun4i-dt-Add-bindings-for-USB-clocks.patch features/arm/ARM-sun4i-dt-Add-USB-host-bindings.patch bugfix/all/net-Start-with-correct-mac_len-in-skb_network_protoc.patch bugfix/all/net-ipv4-current-group_info-should-be-put-after-usin.patch +bugfix/all/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch