Bug 462281 - kernel: netlink: fix overrun in attribute iteration
Summary: kernel: netlink: fix overrun in attribute iteration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 462282 462283
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-15 05:01 UTC by Eugene Teo (Security Response)
Modified: 2011-09-30 19:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-30 19:37:07 UTC
Embargoed:


Attachments (Terms of Use)
Upstream patch for this issue (3.10 KB, patch)
2008-09-15 05:05 UTC, Eugene Teo (Security Response)
no flags Details | Diff
Proposed backported patch for MRG kernel (581 bytes, patch)
2008-09-15 05:35 UTC, Eugene Teo (Security Response)
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0009 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-01-22 10:43:54 UTC

Description Eugene Teo (Security Response) 2008-09-15 05:01:57 UTC
Description of problem:
From: Vegard Nossum <vegard.nossum>

kmemcheck reported this:

  kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
  0500110001508abf050010000500000002017300140000006f72672e66726565
   i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
                                   ^
  Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
  EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
  EIP is at nla_parse+0x5a/0xf0
  EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
  ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
   DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
  CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
  DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
  DR6: ffff4ff0 DR7: 00000400
   [<c05d4b23>] rtnl_setlink+0x63/0x130
   [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
   [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
   [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
   [<c05dda21>] netlink_unicast+0x281/0x290
   [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
   [<c05beef2>] sock_sendmsg+0xd2/0x100
   [<c05bf945>] sys_sendto+0xa5/0xd0
   [<c05bf9a6>] sys_send+0x36/0x40
   [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
   [<c020353b>] sysenter_do_call+0x12/0x3f
   [<ffffffff>] 0xffffffff

This is the line in nla_ok():

  /**
   * nla_ok - check if the netlink attribute fits into the remaining bytes
   * @nla: netlink attribute
   * @remaining: number of bytes remaining in attribute stream
   */
  static inline int nla_ok(const struct nlattr *nla, int remaining)
  {
          return remaining >= sizeof(*nla) &&
                 nla->nla_len >= sizeof(*nla) &&
                 nla->nla_len <= remaining;
  }

It turns out that remaining can become negative due to alignment in
nla_next(). But GCC promotes "remaining" to unsigned in the test
against sizeof(*nla) above. Therefore the test succeeds, and the
nla_for_each_attr() may access memory outside the received buffer.

A short example illustrating this point is here:

  #include <stdio.h>

  main(void)
  {
          printf("%d\n", -1 >= sizeof(int));
  }

...which prints "1".

Comment 2 Eugene Teo (Security Response) 2008-09-15 05:05:40 UTC
Created attachment 316712 [details]
Upstream patch for this issue

Comment 4 Eugene Teo (Security Response) 2008-09-15 05:13:33 UTC
(In reply to comment #0)
> Description of problem:
> From: Vegard Nossum <vegard.nossum>
> 
> kmemcheck reported this:
> 
>   kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
>   0500110001508abf050010000500000002017300140000006f72672e66726565
>    i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
>                                    ^
>   Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty
> #13)

man wpa_supplicant - wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wire-less  connection. wpa_supplicant  supports  separate  frontend  programs and an example text-based frontend, wpa_cli, is included with wpa_supplicant.

Comment 5 Eugene Teo (Security Response) 2008-09-15 05:35:57 UTC
Created attachment 316713 [details]
Proposed backported patch for MRG kernel

Comment 7 Luis Claudio R. Goncalves 2008-10-29 00:10:08 UTC
The Patch for MRG was added in -82


Note You need to log in before you can comment on or make changes to this bug.