bridge: netfilter: fix information leak

commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Andi Kleen <ak@linux.intel.com>
author: Vasiliy Kulikov <segoon@openwall.com> 2011-02-14 16:49:23 +0100
committer: Andi Kleen <ak@linux.intel.com> 2011-04-28 08:20:55 -0700
commit: ce0f98ea90a8171cdaf249c0c623b455931d69ec (patch)
tree: d59d812e64f0146e47b4584f581661cda271bc2a
parent: de204eb252ffd7786bcdead3a88d04e17b98a993 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 59ca00e40dec..62675dc51179 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1098,6 +1098,8 @@ static int do_replace(struct net *net, const void __user *user,
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
author	Vasiliy Kulikov <segoon@openwall.com>	2011-02-14 16:49:23 +0100
committer	Andi Kleen <ak@linux.intel.com>	2011-04-28 08:20:55 -0700
commit	ce0f98ea90a8171cdaf249c0c623b455931d69ec (patch)
tree	d59d812e64f0146e47b4584f581661cda271bc2a
parent	de204eb252ffd7786bcdead3a88d04e17b98a993 (diff)