netdev
[Top] [All Lists]

Re: [Coverity] Untrusted user data in kernel

To: James Morris <jmorris@xxxxxxxxxx>
Subject: Re: [Coverity] Untrusted user data in kernel
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri, 17 Dec 2004 06:25:37 +0100
Cc: Bryan Fulton <bryan@xxxxxxxxxxxx>, netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
In-reply-to: <Xine.LNX.4.44.0412170012040.12382-100000@xxxxxxxxxxxxxxxxxxxxxxxx>
References: <Xine.LNX.4.44.0412170012040.12382-100000@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.3) Gecko/20041008 Debian/1.7.3-5
James Morris wrote:

This at least needs CAP_NET_ADMIN.

It is already checked in do_ip6t_set_ctl(). Otherwise anyone could
replace iptables rules :)

Regards
Patrick


On Thu, 16 Dec 2004, Bryan Fulton wrote:
////////////////////////////////////////////////////////
// 3:   /net/ipv6/netfilter/ip6_tables.c::do_replace  //
////////////////////////////////////////////////////////

- tainted unsigned scalar tmp.num_counters multiplied and passed to
vmalloc (1161) and memset (1166) which could overflow or be too large

Call to function "copy_from_user" TAINTS argument "tmp"

1143            if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1144                    return -EFAULT;

...

TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
sink.

1161            counters = vmalloc(tmp.num_counters * sizeof(struct
ip6t_counters));
1162            if (!counters) {
1163                    ret = -ENOMEM;
1164                    goto free_newinfo;
1165            }

TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
sink.

1166            memset(counters, 0, tmp.num_counters * sizeof(struct
ip6t_counters));




<Prev in Thread] Current Thread [Next in Thread>