← Back to team overview

kernel-packages team mailing list archive

[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

 

** Changed in: linux (Ubuntu Vivid)
       Status: In Progress => Fix Committed

** Changed in: linux (Ubuntu Trusty)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions