Bug 851148
| Summary: | libmnl: provide an API to detect Netlink spoofing | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> | ||||||
| Component: | libmnl | Assignee: | Hushan Jia <hushan.jia> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 19 | CC: | hushan.jia, nhorman, security-response-team | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | 848017 | Environment: | |||||||
| Last Closed: | 2015-02-19 14:05:03 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 848017, 848949 | ||||||||
| Attachments: |
|
||||||||
|
Description
Florian Weimer
2012-08-23 11:12:13 UTC
Created attachment 680486 [details]
[PATCH] libmnl: Add filtering support to library as a convienience
Theres been recent discussion about detecting and discarding unwanted netlink
messages in libmnl, so that we can avoid having applications get spoofed by user
space processes sending messages with malformed netlink headers. Commonly
applications want to be able to only receive messages from the kernel, but
libmnl currently doesn't offer a mechanism to do that. This patch adds such a
mechanism. It creates a function mnl_socket_recvfrom_filter, that adds an
extra function pointer parameter which is used to interrogate recieved frames
and filter them based on a desired criteria. It also adds a convieninece
function mnl_recvfrom_filter_user which can be passed as the filter agrument in
mnl_socket_recvfrom_filter, so as to prevent individual applications from
re-inventing the wheel over and over again.
Signed-off-by: Neil Horman <nhorman>
---
include/libmnl/libmnl.h | 4 ++
src/socket.c | 99 +++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 92 insertions(+), 11 deletions(-)
Note the above is untested, but it builds fine, and looks pretty straightforward. Since the kernel bits, according to the mailing list appear to have languished, I thought perhaps would be a good alternate solution. It gives us a common method to do filtering in libmnl without making each application re-invent the same type of filtering). Please let me know what you think. I was finally able to build this. I needed an additional patch which makes the new symbols visible. We should really try to get this patch upstream, so that we can get an official version for the symbol. I'm not sure if the retry loop in mnl_socket_recvfrom_filter is actually a good idea. I think this can cause cgdcbxd to get stuck waiting on one socket if a spoofed message is received which is not quickly followed by a non-spoofed message. I think mnl_socket_recvfrom_filter should return with an error code if a message is received which is then filtered. Or we should just expose the sender socket address to the caller and do the filtering there. Created attachment 716400 [details]
libmnl-filter-map.patch
Additional patch for exporting the new symbols.
Florian, regarding your suggestion about the loop, My feeling was that the detection could be done in the filter function, since we have the socket address available there. If thats unclear, we could document it as the point at which to break out of the loop. If you like I can propose this upstream. This needs to go to the netfilter-devel list, yes? (In reply to comment #5) > Florian, regarding your suggestion about the loop, My feeling was that the > detection could be done in the filter function, since we have the socket > address available there. If thats unclear, we could document it as the > point at which to break out of the loop. I'm worried that the caller performs select()/poll(), calls the receive function to obtain one packet (which should succeed without blocking because select()/poll() indicated that data was available). But after receiving the that packet, recvmsg() is called again if it was filtered, and that call can now block unexpectedly. > If you like I can propose this upstream. This needs to go to the > netfilter-devel list, yes? Yes, that would be the right list. hmm, ok, I see your point. Ok, given the options, I rather like the error code return a bit better. Either that, or a second method pointer to a receive function, where the caller can pass some code to do exactly the receive operation that they would like. I'll recode, and post it shortly. This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. This was fixed in the kernel. |