bridge: netfilter: fix information leak

Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: N Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: N Patrick McHardy <kaber@trash.net>

bridge: netfilter: fix information leak
Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: N Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: N Patrick McHardy <kaber@trash.net>
d846f711 · Vasiliy Kulikov · Patrick McHardy · 44bd4de9 · d846f711
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

net/bridge/netfilter/ebtables.c net/bridge/netfilter/ebtables.c +2 -0

未找到文件。
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;

+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)