Attachment 26806 Details for Bug 63895

[patch] updated patch from Chris Wright

chrisw.diff (text/plain), 2.93 KB, created by Ludwig Nussel on 2004-12-07 17:20:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ludwig Nussel

Created: 2004-12-07 17:20:03 UTC

Size: 2.93 KB

patch

obsolete

>[Added David Stevens to Cc: list, as some of this is his code.]
>
>* Chris Wright (chrisw@osdl.org) wrote:
>> > 3) igmp_marksources() function is called in the context of an IGMP group 
>> > query and suffers from an out of bound access to kernel memory. This is 
>> > remotely exploitable if applications have bound a multicast socket.
>> 
>> Didn't look at this one yet.
>
>OK, having looked at this, I don't see any problem.  I assumed Paul
>was concerned that nsrcs could exceed the actual number of srcs in
>payload. and thus srcs[i] could be be out of bounds. But this is already
>accounted for by pskb_may_pull() as pointed out by David.  Was there
>something else, some other exploit?  At this point I'm inclined to call
>this one safe.
>
>Attached is a minor revision to the last patch I posted.  Eliminates
>some no-op changes that I made that David preferred to leave as is.
>
>Disclosure date of Dec 14th sound reasonable?
>
>thanks,
>-chris
>-- 
>Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
>
>===== net/ipv4/igmp.c 1.58 vs edited =====
>--- 1.58/net/ipv4/igmp.c	2004-11-09 16:44:25 -08:00
>+++ edited/net/ipv4/igmp.c	2004-12-06 18:43:54 -08:00
>@@ -1778,12 +1778,12 @@ int ip_mc_source(int add, int omode, str
> 			goto done;
> 		rv = !0;
> 		for (i=0; i<psl->sl_count; i++) {
>-			rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
>+			rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
> 				sizeof(__u32));
>-			if (rv >= 0)
>+			if (rv >= 0)	/* array is sorted */
> 				break;
> 		}
>-		if (!rv)	/* source not found */
>+		if (rv)		/* source not found */
> 			goto done;
> 
> 		/* update the interface filter */
>@@ -1825,7 +1825,7 @@ int ip_mc_source(int add, int omode, str
> 	}
> 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
> 	for (i=0; i<psl->sl_count; i++) {
>-		rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
>+		rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
> 			sizeof(__u32));
> 		if (rv >= 0)
> 			break;
>===== net/ipv6/mcast.c 1.71 vs edited =====
>--- 1.71/net/ipv6/mcast.c	2004-11-11 15:07:25 -08:00
>+++ edited/net/ipv6/mcast.c	2004-12-06 18:43:54 -08:00
>@@ -391,12 +391,12 @@ int ip6_mc_source(int add, int omode, st
> 			goto done;
> 		rv = !0;
> 		for (i=0; i<psl->sl_count; i++) {
>-			rv = memcmp(&psl->sl_addr, group,
>+			rv = memcmp(&psl->sl_addr[i], source,
> 				sizeof(struct in6_addr));
>-			if (rv >= 0)
>+			if (rv >= 0)	/* array is sorted */
> 				break;
> 		}
>-		if (!rv)	/* source not found */
>+		if (rv)		/* source not found */
> 			goto done;
> 
> 		/* update the interface filter */
>@@ -437,7 +437,7 @@ int ip6_mc_source(int add, int omode, st
> 	}
> 	rv = 1;	/* > 0 for insert logic below if sl_count is 0 */
> 	for (i=0; i<psl->sl_count; i++) {
>-		rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
>+		rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
> 		if (rv >= 0)
> 			break;
> 	}
>_______________________________________________
>Vendor Security mailing list
>Vendor Security@lst.de
>https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

Actions: View | Diff

Attachments on bug 63895: 26775 | 26806 | 26889 | 26996 | 27005 | 27011