netfilter do_add_counters (CVE-2006-0039)

diff --git a/queue-2.6.16/netfilter-do_add_counters-race-possible-info-leak.patch b/queue-2.6.16/netfilter-do_add_counters-race-possible-info-leak.patch
new file mode 100644 (file)
index 0000000..599512f
--- /dev/null
+++ b/queue-2.6.16/netfilter-do_add_counters-race-possible-info-leak.patch
@@ -0,0 +1,66 @@
+From vendor-sec-admin@lst.de  Tue May 16 12:09:39 2006
+Date: Tue, 16 May 2006 12:07:20 -0700
+From: Chris Wright <chrisw@sous-sol.org>
+To: Marcel Holtmann <holtmann@redhat.com>
+Cc: Kirill Korotaev <dev@sw.ru>, Solar Designer <solar@openwall.com>, Patrick McHardy <kaber@trash.net>
+Subject: [PATCH] Netfilter: do_add_counters race, possible info leak (CVE-2006-0039)
+
+Solar Designer found a race condition in do_add_counters(). The beginning of
+paddc is supposed to be the same as tmp which was sanity-checked above, but it
+might not be the same in reality. In case the integer overflow and/or the race
+condition are triggered, paddc->num_counters might not match the allocation size
+for paddc. If the check below (t->private->number != paddc->num_counters)
+nevertheless passes (perhaps this requires the race condition to be triggered),
+IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
+potentially leaking sensitive data (e.g., passwords from host system or from
+another VPS) via counter increments.  This requires CAP_NET_ADMIN.
+
+https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698
+
+Cc: Solar Designer <solar@openwall.com>
+Cc: Kirill Korotaev <dev@sw.ru>
+Cc: Patrick McHardy <kaber@trash.net>
+(chrisw: rebase of Solar's patch to 2.6.16.16)
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 7d7ab94..12bfc25 100644
+ net/ipv4/netfilter/arp_tables.c |    2 +-
+ net/ipv4/netfilter/ip_tables.c  |    2 +-
+ net/ipv6/netfilter/ip6_tables.c |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- linux-2.6.16.16.orig/net/ipv4/netfilter/arp_tables.c
++++ linux-2.6.16.16/net/ipv4/netfilter/arp_tables.c
+@@ -941,7 +941,7 @@ static int do_add_counters(void __user *
+ 
+       write_lock_bh(&t->lock);
+       private = t->private;
+-      if (private->number != paddc->num_counters) {
++      if (private->number != tmp.num_counters) {
+               ret = -EINVAL;
+               goto unlock_up_free;
+       }
+--- linux-2.6.16.16.orig/net/ipv4/netfilter/ip_tables.c
++++ linux-2.6.16.16/net/ipv4/netfilter/ip_tables.c
+@@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig
+ 
+       write_lock_bh(&t->lock);
+       private = t->private;
+-      if (private->number != paddc->num_counters) {
++      if (private->number != tmp.num_counters) {
+               ret = -EINVAL;
+               goto unlock_up_free;
+       }
+--- linux-2.6.16.16.orig/net/ipv6/netfilter/ip6_tables.c
++++ linux-2.6.16.16/net/ipv6/netfilter/ip6_tables.c
+@@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig
+ 
+       write_lock_bh(&t->lock);
+       private = t->private;
+-      if (private->number != paddc->num_counters) {
++      if (private->number != tmp.num_counters) {
+               ret = -EINVAL;
+               goto unlock_up_free;
+       }

diff --git a/queue-2.6.16/series b/queue-2.6.16/series
index 4a9c20703b44dffd87a8b760286a9051de02f2b3..7777a1c14dc9e066c802219870e59d7cf9c9fbaf 100644 (file)
--- a/queue-2.6.16/series
+++ b/queue-2.6.16/series
@@ -6,3 +6,4 @@ smbfs-fix-slab-corruption-in-samba-error-path.patch
 fs-compat.c-fix-if-typo.patch
 smbus-unhiding-kills-thermal-management.patch
 scx200_acb-fix-resource-name-use-after-free.patch
+netfilter-do_add_counters-race-possible-info-leak.patch