Re: [Coverity] Untrusted user data in kernel

[Patrick McHardy]

James Morris wrote:

> This at least needs CAP_NET_ADMIN.
It is already checked in do_ip6t_set_ctl(). Otherwise anyone could
replace iptables rules :)

Regards
Patrick

> On Thu, 16 Dec 2004, Bryan Fulton wrote:
>  
>
> > ////////////////////////////////////////////////////////
> > // 3:   /net/ipv6/netfilter/ip6_tables.c::do_replace  //
> > ////////////////////////////////////////////////////////
> >
> > - tainted unsigned scalar tmp.num_counters multiplied and passed to
> > vmalloc (1161) and memset (1166) which could overflow or be too large
> >
> > Call to function "copy_from_user" TAINTS argument "tmp"
> >
> > 1143            if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
> > 1144                    return -EFAULT;
> >
> > ...
> >
> > TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
> > sink.
> >
> > 1161            counters = vmalloc(tmp.num_counters * sizeof(struct
> > ip6t_counters));
> > 1162            if (!counters) {
> > 1163                    ret = -ENOMEM;
> > 1164                    goto free_newinfo;
> > 1165            }
> >
> > TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
> > sink.
> >
> > 1166            memset(counters, 0, tmp.num_counters * sizeof(struct
> > ip6t_counters));
> >
> >    
>
>  

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/