[Trusty][Xenial][Zesty][Artful][PATCH 0/1] CVE-2017-17449

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Trusty][Xenial][Zesty][Artful][PATCH 0/1] CVE-2017-17449

Khalid Elmously
CVE-2017-17449


The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the
Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not
restrict observations of Netlink messages to a single net namespace, which
allows local users to obtain sensitive information by leveraging the
CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink
activity on the system.

(The patch will be fuzzed by a few lines for Trusty but should still apply cleanly)

(cherry-picked from upstream 93c647643b48f0131f02e45da3bd367d80443291)

Kevin Cernekee (1):
  netlink: Add netns check on taps

 net/netlink/af_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Xenial][Zesty][Artful][PATCH 1/1] netlink: Add netns check on taps

Khalid Elmously
From: Kevin Cernekee <[hidden email]>

Currently, a nlmon link inside a child namespace can observe systemwide
netlink activity.  Filter the traffic so that nlmon can only sniff
netlink messages from its own netns.

Test case:

    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
                      ip link set nlmon0 up; \
                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
        spi 0x1 mode transport \
        auth sha1 0x6162633132330000000000000000000000000000 \
        enc aes 0x00000000000000000000000000000000
    grep --binary abc123 /tmp/nlmon.pcap

Signed-off-by: Kevin Cernekee <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
Signed-off-by: Khalid Elmously <[hidden email]>

---
 net/netlink/af_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7e794ad50cb0..3c7a3002f718 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
  struct sock *sk = skb->sk;
  int ret = -ENOMEM;
 
+ if (!net_eq(dev_net(dev), sock_net(sk)))
+ return 0;
+
  dev_hold(dev);
 
  if (is_vmalloc_addr(skb->head))
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NACK: [Trusty][Xenial][Zesty][Artful][PATCH 1/1][v3] CVE-2017-17449 netlink: Add netns check on taps

Kleber Souza
On 01/04/18 15:52, Khalid Elmously wrote:

> From: Kevin Cernekee <[hidden email]>
>
> Currently, a nlmon link inside a child namespace can observe systemwide
> netlink activity.  Filter the traffic so that nlmon can only sniff
> netlink messages from its own netns.
>
> Test case:
>
>     vpnns -- bash -c "ip link add nlmon0 type nlmon; \
>                       ip link set nlmon0 up; \
>                       tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
>     sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
>         spi 0x1 mode transport \
>         auth sha1 0x6162633132330000000000000000000000000000 \
>         enc aes 0x00000000000000000000000000000000
>     grep --binary abc123 /tmp/nlmon.pcap
>
> Signed-off-by: Kevin Cernekee <[hidden email]>
> Signed-off-by: David S. Miller <[hidden email]>
> Signed-off-by: Khalid Elmously <[hidden email]>
>
> ---
>  net/netlink/af_netlink.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 7e794ad50cb0..3c7a3002f718 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
>   struct sock *sk = skb->sk;
>   int ret = -ENOMEM;
>  
> + if (!net_eq(dev_net(dev), sock_net(sk)))
> + return 0;
> +
>   dev_hold(dev);
>  
>   if (is_vmalloc_addr(skb->head))
>

The cherry-pick/backport looks good, but there are some issues with this
patch submission:

* Please add the CVE number on the subject between square brackets,
otherwise we need to remove it manually when applying the patch.
* The patch must have the sha1 of the upstream commit on the provenance
block, right above your SOB line, in the form of '(cherry-picked from
...)' or '(backported from ...)'.
* The patch doesn't apply cleanly on (at least) Trusty. Please send a
patch that can be applied with 'git am'. In that case, you can send a
patch series with the minimum amount of "versions" of the patch that is
needed for all the affected series. Note that when a patch doesn't apply
cleanly it's considered to be a backport instead of a cherry-pick.


Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team