kernel-packages team mailing list archive

Thread
Date
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1555338@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Mar 2016 13:32:24 -0000
Reply-to: Bug 1555338 <1555338@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package linux - 3.2.0-101.141

---------------
linux (3.2.0-101.141) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555809

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.2.0-100.140) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548504

  [ Upstream Kernel Changes ]

  * veth: don’t modify ip_summed; doing so treats packets with bad
    checksums as good.
    - LP: #1547207
  * ALSA: usb-audio: avoid freeing umidi object twice
    - LP: #1546177
    - CVE-2016-2384

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Thu, 10 Mar 2016 13:05:32 -0800

** Changed in: linux (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions