Local dos in linux socket filters

From: Patrick McHardy (kaber@trash.net)
Date: Fri Jul 25 2003 - 13:20:22 EST


Dave Miller asked me to post this so it is public:

The Linux Socket Filter implementation contains a bug which
can lead to a local dos. Due to a unsigned->signed conversion
and insufficient bounds checking it is possible to crash the kernel
by accessing unmapped memory. The bug was introduced
during the attempt to fix other signedness issues in 2.4.3-pre3.

The attached two patches for 2.4 and 2.6 fix the problem (already
in davem's tree). Also attached is a program to crash your kernel.

Bye,
Patrick


===== filter.c 1.3 vs edited =====
--- 1.3/net/core/filter.c Tue Feb 5 08:40:16 2002
+++ edited/filter.c Fri Jul 25 02:16:30 2003
@@ -294,10 +294,9 @@
                                 goto load_b;
 
                         case BPF_LDX|BPF_B|BPF_MSH:
- k = fentry->k;
- if(k >= 0 && (unsigned int)k >= len)
+ if(fentry->k >= len)
                                         return (0);
- X = (data[k] & 0xf) << 2;
+ X = (data[fentry->k] & 0xf) << 2;
                                 continue;
 
                         case BPF_LD|BPF_IMM:


===== net/core/filter.c 1.6 vs edited =====
--- 1.6/net/core/filter.c Thu Jun 5 02:57:08 2003
+++ edited/net/core/filter.c Fri Jul 25 02:35:07 2003
@@ -256,10 +256,9 @@
                         k = X + fentry->k;
                         goto load_b;
                 case BPF_LDX|BPF_B|BPF_MSH:
- k = fentry->k;
- if (k >= 0 && (unsigned int)k >= len)
+ if (fentry->k >= len)
                                 return 0;
- X = (data[k] & 0xf) << 2;
+ X = (data[fentry->k] & 0xf) << 2;
                         continue;
                 case BPF_LD|BPF_IMM:
                         A = fentry->k;



-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Thu Jul 31 2003 - 22:00:01 EST