linux/net
Vasiliy Kulikov 6a8ab06077 ipv6: netfilter: ip6_tables: fix infoleak to userspace
Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second was
introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-03-15 13:37:13 +01:00
..
9p net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
802 net/802: add __rcu annotations 2010-10-25 13:09:44 -07:00
8021q 8021q: vlan device is lockless do not transfer real_num_{tx|rx}_queues 2010-11-28 10:47:19 -08:00
appletalk
atm Merge branch 'for-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2011-01-07 16:58:04 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv batman-adv: Use "__attribute__" shortcut macros 2011-01-16 03:25:19 +01:00
bluetooth Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/padovan/bluetooth-next-2.6 2011-01-04 14:25:28 -05:00
bridge bridge: netfilter: fix information leak 2011-02-14 16:49:23 +01:00
caif net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
can can: test size of struct sockaddr in sendmsg 2011-01-15 20:56:42 -08:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2011-01-13 10:25:24 -08:00
core net: implement mechanism for HW based QOS 2011-01-19 23:31:10 -08:00
dcb dcb: use after free in dcb_flushapp() 2011-01-06 11:16:54 -08:00
dccp Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
decnet net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
dns_resolver Net: dns_resolver: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:10 -08:00
dsa net/dsa: don't use flush_scheduled_work() 2010-12-24 15:59:06 +01:00
econet Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-17 12:27:22 -08:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154 net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
ipv4 netfilter: ip_tables: fix infoleak to userspace 2011-03-15 13:36:05 +01:00
ipv6 ipv6: netfilter: ip6_tables: fix infoleak to userspace 2011-03-15 13:37:13 +01:00
ipx BKL: introduce CONFIG_BKL. 2010-10-21 15:44:13 +02:00
irda Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-26 22:37:05 -08:00
iucv [S390] irq: have detailed statistics for interrupt types 2011-01-05 12:47:25 +01:00
key net: return operator cleanup 2010-09-23 14:33:39 -07:00
l2tp Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
lapb Net: lapb: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:14 -08:00
llc net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
mac80211 mac80211: use maximum number of AMPDU frames as default in BA RX 2011-01-13 15:46:45 -05:00
netfilter netfilter: xt_connlimit: remove connlimit_rnd_inited 2011-03-15 13:26:32 +01:00
netlabel net: kill unused macros 2010-12-19 21:59:35 -08:00
netlink netlink: test for all flags of the NLM_F_DUMP composite 2011-01-09 16:25:03 -08:00
netrom
packet net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
phonet phonet: some signedness bugs 2011-01-10 13:33:17 -08:00
rds net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
rfkill rfkill: remove dead code 2010-11-15 13:24:06 -05:00
rose Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-27 01:03:03 -07:00
rxrpc rxrpc: rxrpc_workqueue isn't used during memory reclaim 2011-01-14 09:25:11 -08:00
sched Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2011-01-20 00:06:15 -08:00
sctp Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-17 12:27:22 -08:00
sunrpc Merge branch 'for-2.6.38' of git://linux-nfs.org/~bfields/linux 2011-01-14 13:17:26 -08:00
tipc tipc: update log.h re-include protection to reflect new name 2011-01-01 14:56:18 -08:00
unix af_unix: coding style: remove one level of indentation in unix_shutdown() 2011-01-19 23:31:11 -08:00
wanrouter net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
wimax
wireless cfg80211: fix transposition of words in printk 2011-01-04 14:43:01 -05:00
x25 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
xfrm xfrm: check trunc_len in XFRMA_ALG_AUTH_TRUNC 2011-01-11 14:03:09 -08:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
Kconfig Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
Makefile net: Add batman-adv meshing protocol 2010-12-16 13:44:24 -08:00
nonet.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
socket.c pass default dentry_operations to mount_pseudo() 2011-01-12 20:03:43 -05:00
sysctl_net.c
TUNABLE