NACK: [Trusty][Xenial][Zesty][Artful][PATCH 1/1][v3] CVE-2017-17449 netlink: Add netns check on taps
Kleber Souza
kleber.souza at canonical.com
Wed Jan 24 11:37:35 UTC 2018
On 01/04/18 15:52, Khalid Elmously wrote:
> From: Kevin Cernekee <cernekee at chromium.org>
>
> Currently, a nlmon link inside a child namespace can observe systemwide
> netlink activity. Filter the traffic so that nlmon can only sniff
> netlink messages from its own netns.
>
> Test case:
>
> vpnns -- bash -c "ip link add nlmon0 type nlmon; \
> ip link set nlmon0 up; \
> tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
> sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
> spi 0x1 mode transport \
> auth sha1 0x6162633132330000000000000000000000000000 \
> enc aes 0x00000000000000000000000000000000
> grep --binary abc123 /tmp/nlmon.pcap
>
> Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
>
> ---
> net/netlink/af_netlink.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 7e794ad50cb0..3c7a3002f718 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
> struct sock *sk = skb->sk;
> int ret = -ENOMEM;
>
> + if (!net_eq(dev_net(dev), sock_net(sk)))
> + return 0;
> +
> dev_hold(dev);
>
> if (is_vmalloc_addr(skb->head))
>
The cherry-pick/backport looks good, but there are some issues with this
patch submission:
* Please add the CVE number on the subject between square brackets,
otherwise we need to remove it manually when applying the patch.
* The patch must have the sha1 of the upstream commit on the provenance
block, right above your SOB line, in the form of '(cherry-picked from
...)' or '(backported from ...)'.
* The patch doesn't apply cleanly on (at least) Trusty. Please send a
patch that can be applied with 'git am'. In that case, you can send a
patch series with the minimum amount of "versions" of the patch that is
needed for all the affected series. Note that when a patch doesn't apply
cleanly it's considered to be a backport instead of a cherry-pick.
Thanks,
Kleber
More information about the kernel-team
mailing list