kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #166325
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
v2 of the patch
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338
Title:
Linux netfilter IPT_SO_SET_REPLACE memory corruption
Status in linux package in Ubuntu:
Fix Committed
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux source package in Precise:
New
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux source package in Trusty:
New
Status in linux-lts-utopic source package in Trusty:
New
Status in linux source package in Vivid:
New
Status in linux-lts-utopic source package in Vivid:
Invalid
Status in linux source package in Wily:
In Progress
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Committed
Status in linux-lts-utopic source package in Xenial:
Invalid
Bug description:
[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
ioctl in the netfilter code for iptables support. This ioctl is can be
triggered by an unprivileged user on PF_INET sockets when unprivileged
user namespaces are available (CONFIG_USER_NS=y). Android does not
enable this option, but desktop/server distributions and Chrome OS
will commonly enable this to allow for containers support or
sandboxing.
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset:
newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;
This means that an out of bounds 32-bit write can occur in a 64kb
range from the allocated heap entry, with a controlled offset and a
partially controlled write value ("pos") or zero. The attached proof-
of-concept (netfilter_setsockopt_v3.c) triggers the corruption
multiple times to set adjacent heap structures to zero.
This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
appears that a similar codepath is accessible via
arp_tables.c/ARPT_SO_SET_REPLACE as well.
[Fix]
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150
[Test Case]
Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
gcc net*v3.c -o v3
./v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions