From: Chris Wright Date: Tue, 16 May 2006 23:23:48 +0000 (-0700) Subject: netfilter do_add_counters (CVE-2006-0039) X-Git-Tag: v2.6.16.17~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6570132cb9bb4f21c77016b2ac02cb14a316ef6a;p=thirdparty%2Fkernel%2Fstable-queue.git netfilter do_add_counters (CVE-2006-0039) --- diff --git a/queue-2.6.16/netfilter-do_add_counters-race-possible-info-leak.patch b/queue-2.6.16/netfilter-do_add_counters-race-possible-info-leak.patch new file mode 100644 index 00000000000..599512faec7 --- /dev/null +++ b/queue-2.6.16/netfilter-do_add_counters-race-possible-info-leak.patch @@ -0,0 +1,66 @@ +From vendor-sec-admin@lst.de Tue May 16 12:09:39 2006 +Date: Tue, 16 May 2006 12:07:20 -0700 +From: Chris Wright +To: Marcel Holtmann +Cc: Kirill Korotaev , Solar Designer , Patrick McHardy +Subject: [PATCH] Netfilter: do_add_counters race, possible info leak (CVE-2006-0039) + +Solar Designer found a race condition in do_add_counters(). The beginning of +paddc is supposed to be the same as tmp which was sanity-checked above, but it +might not be the same in reality. In case the integer overflow and/or the race +condition are triggered, paddc->num_counters might not match the allocation size +for paddc. If the check below (t->private->number != paddc->num_counters) +nevertheless passes (perhaps this requires the race condition to be triggered), +IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, +potentially leaking sensitive data (e.g., passwords from host system or from +another VPS) via counter increments. This requires CAP_NET_ADMIN. + +https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698 + +Cc: Solar Designer +Cc: Kirill Korotaev +Cc: Patrick McHardy +(chrisw: rebase of Solar's patch to 2.6.16.16) +Signed-off-by: Chris Wright +--- + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 7d7ab94..12bfc25 100644 + net/ipv4/netfilter/arp_tables.c | 2 +- + net/ipv4/netfilter/ip_tables.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- linux-2.6.16.16.orig/net/ipv4/netfilter/arp_tables.c ++++ linux-2.6.16.16/net/ipv4/netfilter/arp_tables.c +@@ -941,7 +941,7 @@ static int do_add_counters(void __user * + + write_lock_bh(&t->lock); + private = t->private; +- if (private->number != paddc->num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +--- linux-2.6.16.16.orig/net/ipv4/netfilter/ip_tables.c ++++ linux-2.6.16.16/net/ipv4/netfilter/ip_tables.c +@@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig + + write_lock_bh(&t->lock); + private = t->private; +- if (private->number != paddc->num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +--- linux-2.6.16.16.orig/net/ipv6/netfilter/ip6_tables.c ++++ linux-2.6.16.16/net/ipv6/netfilter/ip6_tables.c +@@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig + + write_lock_bh(&t->lock); + private = t->private; +- if (private->number != paddc->num_counters) { ++ if (private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } diff --git a/queue-2.6.16/series b/queue-2.6.16/series index 4a9c20703b4..7777a1c14dc 100644 --- a/queue-2.6.16/series +++ b/queue-2.6.16/series @@ -6,3 +6,4 @@ smbfs-fix-slab-corruption-in-samba-error-path.patch fs-compat.c-fix-if-typo.patch smbus-unhiding-kills-thermal-management.patch scx200_acb-fix-resource-name-use-after-free.patch +netfilter-do_add_counters-race-possible-info-leak.patch