NACK: [Trusty][Xenial][Zesty][Artful][PATCH 1/1][v3] CVE-2017-17449 netlink: Add netns check on taps

Kleber Souza kleber.souza at canonical.com
Wed Jan 24 11:37:35 UTC 2018 

On 01/04/18 15:52, Khalid Elmously wrote:
> From: Kevin Cernekee <cernekee at chromium.org>
> 
> Currently, a nlmon link inside a child namespace can observe systemwide
> netlink activity.  Filter the traffic so that nlmon can only sniff
> netlink messages from its own netns.
> 
> Test case:
> 
>     vpnns -- bash -c "ip link add nlmon0 type nlmon; \
>                       ip link set nlmon0 up; \
>                       tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
>     sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
>         spi 0x1 mode transport \
>         auth sha1 0x6162633132330000000000000000000000000000 \
>         enc aes 0x00000000000000000000000000000000
>     grep --binary abc123 /tmp/nlmon.pcap
> 
> Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
> 
> ---
>  net/netlink/af_netlink.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 7e794ad50cb0..3c7a3002f718 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
>  	struct sock *sk = skb->sk;
>  	int ret = -ENOMEM;
>  
> +	if (!net_eq(dev_net(dev), sock_net(sk)))
> +		return 0;
> +
>  	dev_hold(dev);
>  
>  	if (is_vmalloc_addr(skb->head))
> 

The cherry-pick/backport looks good, but there are some issues with this
patch submission:

* Please add the CVE number on the subject between square brackets,
otherwise we need to remove it manually when applying the patch.
* The patch must have the sha1 of the upstream commit on the provenance
block, right above your SOB line, in the form of '(cherry-picked from
...)' or '(backported from ...)'.
* The patch doesn't apply cleanly on (at least) Trusty. Please send a
patch that can be applied with 'git am'. In that case, you can send a
patch series with the minimum amount of "versions" of the patch that is
needed for all the affected series. Note that when a patch doesn't apply
cleanly it's considered to be a backport instead of a cherry-pick.


Thanks,
Kleber

More information about the kernel-team mailing list