[Lucid][Precise/lts-backport-quantal][CVE-2014-3144][CVE-2014-3145] filter: prevent nla extensions to peek beyond the end of the message
Luis Henriques
luis.henriques at canonical.com
Thu Jun 5 14:31:52 UTC 2014
Following this email, I'm sending the CVE-2014-3144 and CVE-2014-3145
fix (same commit), both for Lucid and lts-backport-quantal.
The backport of the fix is based on David Miller's backports for 3.2.y
and 3.4.y stable kernels. However, the original backport contained
what I initially thought was duplicated code:
diff --git a/net/core/filter.c b/net/core/filter.c
index 5dea452..5b4d7ec 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -336,11 +336,15 @@ load_b:
if (skb_is_nonlinear(skb))
return 0;
+ if (skb->len < sizeof(struct nlattr))
+ return 0;
+ if (skb->len < sizeof(struct nlattr))
+ return 0;
if (A > skb->len - sizeof(struct nlattr))
return 0;
nla = (struct nlattr *)&skb->data[A];
- if (nla->nla_len > A - skb->len)
+ if (nla->nla_len > skb->len - A)
return 0;
nla = nla_find_nested(nla, X);
After reporting upstream[1], it ended up being a bug in patch (the
tool), and Mathias Krause provided a correct fix for these 2 kernels.
[1] http://thread.gmane.org/gmane.linux.kernel.stable/92920/focus=1718967
Mathias Krause (1):
filter: prevent nla extensions to peek beyond the end of the message
net/core/filter.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
1.9.1
More information about the kernel-team
mailing list