This issue is EMBARGOED and the proposed unembargo date is Monday, 4th of December 2006 at 14:00 UTC. It has been assigned CVE-2006-5751. The vulnerability description is as follows: Synopsis: Linux kernel get_fdb_entries() integer overflow Product: Linux kernel Version: 2.6.7 - 2.6.18.3 Vendor: http://www.kernel.org/ Severity: Important Author: Eugene Teo <eteo@redhat.com> Date: November 19, 2006 CVE-ID: CVE-2006-5751 Issue: ====== A potential security vulnerability has been found in the Linux kernel in the get_fdb_entries() function code. Successful exploitation may potentially allow execution of arbitrary code with escalated privileges. Details: ======== The vulnerable code resides in net/bridge/br_ioctl.c: 56 static _nt get_fdb_entries(struct net_bridge *br, void __user *userbuf, 57 unsigned long maxnum, unsigned long offset) 58 { 59 int num; 60 void *buf; 61 size_t size = maxnum * sizeof(struct __fdb_entry); 62 63 if (size > PAGE_SIZE) { 64 size = PAGE_SIZE; 65 maxnum = PAGE_SIZE/sizeof(struct __fdb_entry); 66 } 67 68 buf = kmalloc(size, GFP_USER); 69 if (!buf) 70 return -ENOMEM; 71 72 num = br_fdb_fillbuf(br, buf, maxnum, offset); By supplying a sufficiently large value to maxnum, we can control the amount of memory to allocate to buf (i.e. 32 bytes). net/bridge/br_fdb.c: 219 int br_fdb_fillbuf(struct net_bridge *br, void *buf, 220 unsigned long maxnum, unsigned long skip) 221 { 222 struct __fdb_entry *fe = buf; /* ... */ 227 memset(buf, 0, maxnum*sizeof(struct __fdb_entry)); 228 229 rcu_read_lock(); 230 for (i = 0; i < BR_HASH_SIZE; i++) { 231 hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) { 232 if (num >= maxnum) 233 goto out; 234 235 if (has_expired(br, f)) 236 continue; 237 238 if (skip) { 239 --skip; 240 continue; 241 } 242 243 /* convert from internal format to API */ 244 memcpy(fe->mac_addr, f->addr.addr, ETH_ALEN); 245 fe->port_no = f->dst->port_no; 246 fe->is_local = f->is_local; 247 if (!f->is_static) 248 fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->ageing_timer); 249 ++fe; 250 ++num; 251 } 252 } because fe = buf, and buf can be allocated with only 32 bytes, if one bridge has more than two interfaces added, memcpy will be able to overwrite other slab objects, which can be exploited to execute arbitrary code. Credits: ======== Thanks a1rsupp1y for performing further research together. POC: ==== unsigned long args[4] = { BRCTL_GET_FDB_ENTRIES, (unsigned long) fe, LARGE_VALUE, offset}; struct ifreq ifr; int retries = 0; strncpy(ifr.ifr_name, bridge, IFNAMSIZ); ifr.ifr_data = (char *) args; n = ioctl(br_socket_fd, SIOCDEVPRIVATE, &ifr);
Past the release date.
Fixed in Linux 2.6.18.4
Not affected in ~arch.
