Received: with ECARTIS (v1.0.0; list netdev); Thu, 16 Dec 2004 21:26:38 -0800 (PST)
Received: from kaber.coreworks.de ([62.206.217.67])
	by oss.sgi.com (8.13.0/8.13.0) with ESMTP id iBH5QA3R017096
	for <netdev@oss.sgi.com>; Thu, 16 Dec 2004 21:26:31 -0800
Received: from localhost ([127.0.0.1])
	by kaber.coreworks.de with esmtp (Exim 4.34)
	id 1CfAcT-000484-Gh; Fri, 17 Dec 2004 06:25:37 +0100
Message-ID: <41C26DD1.7070006@trash.net>
Date: Fri, 17 Dec 2004 06:25:37 +0100
From: Patrick McHardy <kaber@trash.net>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.3) Gecko/20041008 Debian/1.7.3-5
X-Accept-Language: en
MIME-Version: 1.0
To: James Morris <jmorris@redhat.com>
CC: Bryan Fulton <bryan@coverity.com>, netdev@oss.sgi.com,
        netfilter-devel@lists.netfilter.org, linux-kernel@vger.kernel.org
Subject: Re: [Coverity] Untrusted user data in kernel
References: <Xine.LNX.4.44.0412170012040.12382-100000@thoron.boston.redhat.com>
In-Reply-To: <Xine.LNX.4.44.0412170012040.12382-100000@thoron.boston.redhat.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.80/627/Sun Dec 12 11:53:11 2004
	clamav-milter version 0.80j
	on 127.0.0.1
X-Virus-Status: Clean
X-archive-position: 12804
X-ecartis-version: Ecartis v1.0.0
Sender: netdev-bounce@oss.sgi.com
Errors-to: netdev-bounce@oss.sgi.com
X-original-sender: kaber@trash.net
Precedence: bulk
X-list: netdev

James Morris wrote:

>This at least needs CAP_NET_ADMIN.
>
It is already checked in do_ip6t_set_ctl(). Otherwise anyone could
replace iptables rules :)

Regards
Patrick

>
>On Thu, 16 Dec 2004, Bryan Fulton wrote:
>  
>
>>////////////////////////////////////////////////////////
>>// 3:   /net/ipv6/netfilter/ip6_tables.c::do_replace  //
>>////////////////////////////////////////////////////////
>> 
>>- tainted unsigned scalar tmp.num_counters multiplied and passed to
>>vmalloc (1161) and memset (1166) which could overflow or be too large
>>
>>Call to function "copy_from_user" TAINTS argument "tmp"
>>
>>1143            if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
>>1144                    return -EFAULT;
>>
>>...
>>
>>TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
>>sink.
>>
>>1161            counters = vmalloc(tmp.num_counters * sizeof(struct
>>ip6t_counters));
>>1162            if (!counters) {
>>1163                    ret = -ENOMEM;
>>1164                    goto free_newinfo;
>>1165            }
>>
>>TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
>>sink.
>>
>>1166            memset(counters, 0, tmp.num_counters * sizeof(struct
>>ip6t_counters));
>>
>>    
>>
>
>  
>