Full Disclosure mailing list archives

Re: XADV-2013004 Linux Kernel ipvs Kernel Stack Overflow

From: Alan J. Wylie <shyyqvfpybfher () wylie me uk>
Date: Mon, 11 Nov 2013 13:55:56 +0000

x90c <geinblues () gmail com> writes:

+--------------------------------------------------------+
| XADV-2013004 Linux Kernel ipvs Kernel Stack Overflow   |
+--------------------------------------------------------+

 Vulnerable versions:
 - linux kernel 2.6.32 <=

 Not vulnerable versions:
 - linux kernel 2.6.33 <=

                         ^^
ITYM >=

 - linux kernel 3.x

 Testbed: linux kernel 2.6.18
 Type: Local
 Impact: Local Privilege Escalation
 Vendor: http://www.kernel.org
 Author: x90c <geinblues *nospam* gmail dot com>
 Site: x90c.org

...

The do_ip_vs_set_ctl() in the ipvs is vulnerable function.
It's vulnerable to the kernel stack overflow with no sanity check
when copying the getsockopt socket option value from the userspace
to the arg[] variable.

...

    /* XXX no sanity check. (kernel stack overflow) */
    if (copy_from_user(arg, user, len) != 0)


Fixed nearly four years ago.

------------------------------------------------------------------------------
commit 04bcef2a83f40c6db24222b27a52892cba39dffb
Author: Arjan van de Ven <arjan () linux intel com>
Date:   Mon Jan 4 16:37:12 2010 +0100

    ipvs: Add boundary check on ioctl arguments
    
    The ipvs code has a nifty system for doing the size of ioctl command
    copies; it defines an array with values into which it indexes the
    cmd
    to find the right length.
    
    Unfortunately, the ipvs code forgot to check if the cmd was in the
    range that the array provides, allowing for an index outside of the
    array, which then gives a "garbage" result into the length, which
    then gets used for copying into a stack buffer.
    
    Fix this by adding sanity checks on these as well as the copy size.
    
    [ horms () verge net au: adjusted limit to IP_VS_SO_GET_MAX ]
    Signed-off-by: Arjan van de Ven <arjan () linux intel com>
    Acked-by: Julian Anastasov <ja () ssi bg>
    Signed-off-by: Simon Horman <horms () verge net au>
    Signed-off-by: Patrick McHardy <kaber () trash net>

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c
b/net/netfilter/ipvs/ip_vs_ctl.c
index 6bde12d..c37ac2d 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void
__user *user, unsigned int len)
        if (!capable(CAP_NET_ADMIN))
                return -EPERM;
 
+       if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
+               return -EINVAL;
+       if (len < 0 || len >  MAX_ARG_LEN)
+               return -EINVAL;
        if (len != set_arglen[SET_CMDID(cmd)]) {
                pr_err("set_ctl: len %u != %u\n",
                       len, set_arglen[SET_CMDID(cmd)]);

------------------------------------------------------------------------------

-- 
Alan J. Wylie                                          http://www.wylie.me.uk/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

XADV-2013004 Linux Kernel ipvs Kernel Stack Overflow x90c (Nov 11)
- Re: XADV-2013004 Linux Kernel ipvs Kernel Stack Overflow Alan J . Wylie (Nov 11)