Commit 7a4ff673 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/linux-grsec: security fixes (CVE-2013-0290) + sock_diag out of bounds

fixes #1626
fixes #1619
parent 6342d239
From ecc18050ef1ebd1dd63ebab44297d09a48360fc5 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sat, 23 Feb 2013 01:13:47 +0000
Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to
sock_diag_handlers[]
Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
with a family greater or equal then AF_MAX -- the array size of
sock_diag_handlers[]. The current code does not test for this
condition therefore is vulnerable to an out-of-bound access opening
doors for a privilege escalation.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/core/sock_diag.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 849f809..5e8d4a9 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -133,6 +133,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (nlmsg_len(nlh) < sizeof(*req))
return -EINVAL;
+ if (req->sdiag_family >= AF_MAX)
+ return -EINVAL;
+
hndl = sock_diag_lock_handler(req->sdiag_family);
if (hndl == NULL)
err = -ENOENT;
--
1.8.1.4
From 8679699f038e5cbd360df52e347e733f367bb30f Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Tue, 12 Feb 2013 06:16:53 +0000
Subject: [PATCH 2/2] net: fix infinite loop in __skb_recv_datagram()
Tommi was fuzzing with trinity and reported the following problem :
commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
missed that a raw socket receive queue can contain skbs with no payload.
We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
wait_for_packet() is not prepared to skip these skbs.
[ 83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
[ 83.541011] INFO: Stall ended before state dump start
[ 108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847]
...
[ 108.067010] Call Trace:
[ 108.067010] [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
[ 108.067010] [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
[ 108.067010] [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
[ 108.067010] [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
[ 108.067010] [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
[ 108.067010] [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
[ 108.067010] [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b
Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
---
net/core/datagram.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/datagram.c b/net/core/datagram.c
index 6a6ac94..07ccc3e 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned flags,
skb_queue_walk(queue, skb) {
*peeked = skb->peeked;
if (flags & MSG_PEEK) {
- if (*off >= skb->len) {
+ if (*off >= skb->len && skb->len) {
*off -= skb->len;
continue;
}
--
1.8.1.4
......@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.6.11
_kernver=3.6
pkgrel=13
pkgrel=14
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -28,6 +28,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
xsa43-pvops.patch
0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
kernelconfig.x86
kernelconfig.x86_64
......@@ -163,5 +165,43 @@ d9b4a528e722d10ba53034ebd440c31b ipv4-remove-output-route-check-in-ipv4_mtu.pat
89dbb0886c9d17c3c4a5ff4f1443e936 xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
bce9f08c86570a0a86ef36f1d2e7a2dd xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
2399192c10ba600a086a4c946f1b72f2 xsa43-pvops.patch
2eae706f3b25a4a3341ef78eb29197dc 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
9fcb70f1b8e22ad83e959afc58a7332d 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
02ed0c981afbf6a1fc81d5fa9b44e7df kernelconfig.x86
4927251c008b2c2bf5648d732ec63f9d kernelconfig.x86_64"
sha256sums="4ab9a6ef1c1735713f9f659d67f92efa7c1dfbffb2a2ad544005b30f9791784f linux-3.6.tar.xz
4bdc3822571a4a765bf6f347aad8b899730acef549ae4236813fd17f254f4327 patch-3.6.11.xz
3949b8aff2f0c2e108f897f119c98c002937093baa54385d46baad19300954e1 patch-3.6.11-al3.patch
09a266a5aeba727b29304f4ec41bc08962a71df931646cc6910c5555ffbee14c grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde 0004-arp-flush-arp-cache-on-device-change.patch
fdce1143aa10a48582b5bb9cf441b75c6f52701a61f28139970f3110a170fb97 r8169-num-rx-desc.patch
c3673636d7604b7b3df665acc0fc0153a76ac6b7f36bb931d235ea1132ac1852 ipv4-remove-output-route-check-in-ipv4_mtu.patch
2c5f4fc70c9e6c1be9890cd5e5a8c45cc500cc71c7faf8b8f7a7152b1e6bcf88 0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
7ba9b10b04197d3009ad3facabd0bdb2cab870fabcc841716efb1041412a20cd r8169-fix-vlan-tag-reordering.patch
99cf93e37985908243b974cc726f57e592e62ae005eca52969f11fb6fdea6fb5 xsa39-pvops-0001-xen-netback-shutdown-the-ring-if-it-contains-garbage.patch
e0c4226b0910ca455f22ae117e8346d87053e9faf03ec155dd6c31e2f58a1969 xsa39-pvops-0002-xen-netback-don-t-leak-pages-on-failure-in-xen_netbk.patch
70e6cb644a57cdda7f29eb86086a8e697706c3fc974a44c52322e451fd6b9d5c xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
5d0db59bbd5ad3a7efae78a6c26fc2491b7c553e5519dd946d1422a116af73dd xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
6efe83c9951dcba20f18095814d19089e19230c6876bbdab32cc2f1165bb07c8 xsa43-pvops.patch
c8981bb73042f2a14a32c80e15f85d31e78c425808de437c455e0f4f90b17ec2 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
4aaf19e18a71a502ff12ebacaf7c8d0c14b4c3d46d88058dbce0cb567aed0f3c 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
c4236fa6150c9cba98280aadc2daccd917410148e06d2231cc8c5370d1735577 kernelconfig.x86
3afefde6d92e1c41f6487c2279c5b707ef42ce42e4f7fe9e37d482c3e24ec3b1 kernelconfig.x86_64"
sha512sums="6e3354184d1799228a2d33b92e4a6b743cc24352b8ccc1fd487fab07ab97be2aa03ba87b8406a177581692db1fd40674fbd4e213a782cbe0a6a969b10c4c17a1 linux-3.6.tar.xz
08423f145ee7aef49f50d95032595ee79250135b6ecfa72f802502a277f215b63c4dc04ed149fe4ed7cdaa5ef063b8003b7f72f41d8417e45efbe7e30e621387 patch-3.6.11.xz
8b9656c1b535dea4e32fcb9a6b44ae6c12548a262f40bd94ea81c4f475d301da20cbf0ab0eef77a61dcdddaad21b850858ddc1a03c741bf6f2ae285310f49508 patch-3.6.11-al3.patch
f2b6735194597e9296f0fccd65bdbfd6f2489c40526294f00a1ad543e8cb3b0a41ceee26cd2f0cbfa31ec423927c5e693d63856e65c7ad8a79666176595aca8a grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch
b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e 0004-arp-flush-arp-cache-on-device-change.patch
d9c91b57415c7c3c365add35565f72ba6225e48212f55abb209e1f426902206543edefb9fc01715357e445b69222a6fb94c3469d701e465450919bad3c83d874 r8169-num-rx-desc.patch
fbbaa9c940f70823f5672db04b78de71233ecdda83d0cbeaeac941d732b0e3b18be38a0ed85d7bd03818114d00d9fe00935532968bee5b4673e8fadfda8c0281 ipv4-remove-output-route-check-in-ipv4_mtu.patch
55ebc903f2384926c7a0a9abbb685b1719d08363fa97deddbd6b632928d94956cdc0b4c75d4b0230d627a02baf249d57033820e0fb11ff6723faa904370a54c8 0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch
958f5dfb57b6760e92d39027e8ec8d0abc2d99f6b40ef3c108fe90acfe00f3d5fdc2ccebddeffbf70794f6d7a394d985adf40808c2d4c8f7d0591c589b88bbbc r8169-fix-vlan-tag-reordering.patch
29bbd379a06dbb060871b089c9926cadc6e6a2cae141246386f98e5737436ff503b522f08e91bdfa220cf9610cfe19990375e395a2cb01e19cf9b4f37c59a7f1 xsa39-pvops-0001-xen-netback-shutdown-the-ring-if-it-contains-garbage.patch
abb148ef92e516d9632912d10ce5d1f5c1425c25fc601a84cfd3a4ba10a374a7cc8ec38c4ad5d2ba815e17d8b2ce006ce364650aa0418b76b5dcdafd54194707 xsa39-pvops-0002-xen-netback-don-t-leak-pages-on-failure-in-xen_netbk.patch
162885acbdea08dd6089d692fba65bacdcfc02e3617ce6b170b736167294bdb2a9b0eac5d33634fcafc91ca2acac9301e2bc9873aa70c43eba1107d3ae83c4ab xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch
61388dab7a572da5ea598ff430359007288901f00a7f6b243163dc901bf57a2270de8ef897e17273532aab9c08d5c7c2dbce58e6b85e7b3ca724ffe138559802 xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch
383c00a2520f0e27a4e51ef4e499cd8dc33f75ef4d3d5eab22944126c41de20dccf563d1d05cd557cae4091167de78f44ec5bfb76e33f503b36b5e3d756fcaed xsa43-pvops.patch
025c948e157c1bbc0158fea124205792ecc0abc692ad862c14861a304492c0d2e1f931ad5c6434ba37ae9a8389e9cea0d5fd111f44e99f7dcb9336d7e4bfdb7b 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch
c95a0c71cee924686185d138b15c94c7593ecac7afa48957204b16bd24b0fbf641fbefd2e18dd5e72eef33f8eb07c24240f5c64b8c73c0bc73d9dfcda44b237a 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch
065fff74ab7f885a45d98a1cd2bc5aaf6cb9a08d830297aaab54b512b7c90d692e37101810ee36a1f26e757990f763b664788a858b3ab40d0b4821205b9d3995 kernelconfig.x86
ba9a0b035a97089e51e0a0b723c69148866dabb4baf74c870a005350f7bfd789ab47595c7bc7e218de6d7479d16279cb906aee2ffeda9a6b141ad43ecc26dd4f kernelconfig.x86_64"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment