Kernel memory corruption in CIPSO labeled TCP packets processing.
Nazarov Sergey
s-nazarov at yandex.ru
Tue Jan 15 17:06:24 UTC 2019
Hello!
Security modules (selinux, smack) use icmp_send for discarded incorrectly labeled network packets.
This could be on TCP level too (security_sock_rcv_skb -> cipso_v4_error for INET stream connection, for example).
icmp_send calls ip_option_echo, which uses IPCB to take compiled IP options.
After moving IP header data to the end of the struct tcp_skb_cb (since 3.18 kernel), this could lead to
kernel memory corruption when IP options copying.
This patch fix a bug, but I'm not sure, that this is a best solution. Perhaps someone more familiar with the
linux TCP/IP stack will offer a better one.
Thanks.
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -679,7 +679,8 @@ void icmp_send(struct sk_buff *skb_in, i
iph->tos;
mark = IP4_REPLY_MARK(net, skb_in->mark);
- if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in))
+ if (__ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in,
+ ip_hdr(skb_in)->protocol == IPPROTO_TCP ? &TCP_SKB_CB(skb_in)->header.h4.opt : &IPCB(skb_in)->opt))
goto out_unlock;
More information about the Linux-security-module-archive
mailing list