From 6001677098875a64c1082cfd377bc594f5820823 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mar 17 2014 19:35:08 +0000 Subject: CVE-2014-2523 netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages (rhbz 1077343 1077350) --- diff --git a/kernel.spec b/kernel.spec index 89cf3d0..e2d100d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -800,6 +800,9 @@ Patch25041: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch #rhbz 1046495 Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch +#CVE-2014-2523 rhbz 1077343 1077350 +Patch25045: netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch + # END OF PATCH DEFINITIONS %endif @@ -1556,6 +1559,9 @@ ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch #rhbz 1046495 ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch +#CVE-2014-2523 rhbz 1077343 1077350 +ApplyPatch netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch + # END OF PATCH APPLICATIONS %endif @@ -2367,6 +2373,9 @@ fi # ||----w | # || || %changelog +* Mon Mar 17 2014 Josh Boyer +- CVE-2014-2523 netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages (rhbz 1077343 1077350) + * Wed Mar 12 2014 Josh Boyer - Fix locking issue in iwldvm (rhbz 1046495) diff --git a/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch b/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch new file mode 100644 index 0000000..003a30c --- /dev/null +++ b/netfilter-nf_conntrack_dccp-fix-skb_header_pointer-A.patch @@ -0,0 +1,65 @@ +Bugzilla: 1077350 +Upstream-status: 3.14-rc1 + +From b22f5126a24b3b2f15448c3f2a254fc10cbc2b92 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 6 Jan 2014 00:57:54 +0100 +Subject: [PATCH] netfilter: nf_conntrack_dccp: fix skb_header_pointer API + usages + +Some occurences in the netfilter tree use skb_header_pointer() in +the following way ... + + struct dccp_hdr _dh, *dh; + ... + skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); + +... where dh itself is a pointer that is being passed as the copy +buffer. Instead, we need to use &_dh as the forth argument so that +we're copying the data into an actual buffer that sits on the stack. + +Currently, we probably could overwrite memory on the stack (e.g. +with a possibly mal-formed DCCP packet), but unintentionally, as +we only want the buffer to be placed into _dh variable. + +Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") +Signed-off-by: Daniel Borkmann +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c +index 3841268..cb372f9 100644 +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -428,7 +428,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, + const char *msg; + u_int8_t state; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + BUG_ON(dh == NULL); + + state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; +@@ -486,7 +486,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, + u_int8_t type, old_state, new_state; + enum ct_dccp_roles role; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + BUG_ON(dh == NULL); + type = dh->dccph_type; + +@@ -577,7 +577,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl, + unsigned int cscov; + const char *msg; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + if (dh == NULL) { + msg = "nf_ct_dccp: short packet "; + goto out_invalid; +-- +1.8.5.3 +