File cgrulesengd-deny-message-forging.patch of Package libcgroup1.import4148

From 0a59ea5e0b2ce466bfd35c9e700094bf09a0310d Mon Sep 17 00:00:00 2001
From: Nelson Elhage <nelhage@ksplice.com>
Date: Thu, 17 Feb 2011 20:55:12 -0500
Subject: cgrulesengd: Ignore netlink messages that don't come from the kernel.
References: bnc#675048, CVE-2011-1022

recvfrom() returns the address, it doesn't filter the packet based on the
sender. We need to explicitly check the received address after the call happens.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 src/daemon/cgrulesengd.c |   11 ++++-------
 1 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
index 10fd2cd..5a965fd 100644
--- a/src/daemon/cgrulesengd.c
+++ b/src/daemon/cgrulesengd.c
@@ -503,17 +503,10 @@ static int cgre_receive_netlink_msg(int sk_nl)
 	struct sockaddr_nl from_nla;
 	socklen_t from_nla_len;
 	struct nlmsghdr *nlh;
-	struct sockaddr_nl kern_nla;
 	struct cn_msg *cn_hdr;
 
-	kern_nla.nl_family = AF_NETLINK;
-	kern_nla.nl_groups = CN_IDX_PROC;
-	kern_nla.nl_pid = 1;
-	kern_nla.nl_pad = 0;
-
 	memset(buff, 0, sizeof(buff));
 	from_nla_len = sizeof(from_nla);
-	memcpy(&from_nla, &kern_nla, sizeof(from_nla));
 	recv_len = recvfrom(sk_nl, buff, sizeof(buff), 0,
 		(struct sockaddr *)&from_nla, &from_nla_len);
 	if (recv_len == ENOBUFS) {
@@ -523,6 +516,10 @@ static int cgre_receive_netlink_msg(int sk_nl)
 	if (recv_len < 1)
 		return 0;
 
+	if (from_nla.nl_groups != CN_IDX_PROC
+	    || from_nla.nl_pid != 0)
+		return 0;
+
 	nlh = (struct nlmsghdr *)buff;
 	while (NLMSG_OK(nlh, recv_len)) {
 		cn_hdr = NLMSG_DATA(nlh);
-- 
1.7.4.1