linux kernel 2.6.38.8 ipv4 ipt_CLUSTERIP buffer overflow

2011-06-27 / 2011-06-28
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 4/10
Impact Subscore: 6.9/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a48..af7dec6 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -669,8 +669,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input, char buffer[PROC_WRITELEN+1]; unsigned long nodenum; - if (copy_from_user(buffer, input, PROC_WRITELEN)) + if (size > PROC_WRITELEN) + return -EIO; + if (copy_from_user(buffer, input, size)) return -EFAULT; + buffer[size] = 0; if (*buffer == '+') { nodenum = simple_strtoul(buffer+1, NULL, 10); -- 1.7.0.4 --

References:

https://bugzilla.redhat.com/show_bug.cgi?id=689337
http://www.openwall.com/lists/oss-security/2011/03/21/4
http://www.openwall.com/lists/oss-security/2011/03/21/1
http://www.openwall.com/lists/oss-security/2011/03/18/15
http://marc.info/?l=netfilter-devel&m=130036157327564&w=2
http://marc.info/?l=netfilter&m=129978077509888&w=2
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=961ed183a9fd080cf306c659b8736007e44065a5
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top