Home / exploits Linux kernel net ipvs stack buffer overflow
Posted on 16 November 2013
Linux kernel built with the IP Virtual Server(CONFIG_IP_VS) support is vulnerable to a buffer overflow flaw. It could occur while setting or retrieving socket options via setsockopt(2) or getsockopt(2) calls. Though a user needs to have CAP_NET_ADMIN privileges to perform these IP_VS operations. A user/program with CAP_NET_ADMIN privileges could use this flaw to further escalate their privileges on a system. Upstream fix: ------------- -> https://git.kernel.org/linus/04bcef2a83f40c6db24222b27a52892cba39dffb References: ----------- -> http://seclists.org/fulldisclosure/2013/Nov/77 -> https://bugzilla.redhat.com/show_bug.cgi?id=1030800 -rw-r--r-- net/netfilter/ipvs/ip_vs_ctl.c 14 1 files changed, 13 insertions, 1 deletions diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 6bde12d..c37ac2d 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) if (!capable(CAP_NET_ADMIN)) return -EPERM; + if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) + return -EINVAL; + if (len < 0 || len > MAX_ARG_LEN) + return -EINVAL; if (len != set_arglen[SET_CMDID(cmd)]) { pr_err("set_ctl: len %u != %u ", len, set_arglen[SET_CMDID(cmd)]); @@ -2352,17 +2356,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) { unsigned char arg[128]; int ret = 0; + unsigned int copylen; if (!capable(CAP_NET_ADMIN)) return -EPERM; + if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX) + return -EINVAL; + if (*len < get_arglen[GET_CMDID(cmd)]) { pr_err("get_ctl: len %u < %u ", *len, get_arglen[GET_CMDID(cmd)]); return -EINVAL; } - if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0) + copylen = get_arglen[GET_CMDID(cmd)]; + if (copylen > 128) + return -EINVAL; + + if (copy_from_user(arg, user, copylen) != 0) return -EFAULT; if (mutex_lock_interruptible(&__ip_vs_mutex))
