Received: by 10.223.185.116 with SMTP id b49csp1066053wrg; Fri, 23 Feb 2018 11:17:41 -0800 (PST) X-Google-Smtp-Source: AH8x226ZxHxCDU+qAGCvfZCx3b0ZatMv2mSaLX5vFGutdQH2b3qV+k4OZNYm0yuE80X7MdnWB5JB X-Received: by 10.101.78.200 with SMTP id w8mr2228315pgq.43.1519413461439; Fri, 23 Feb 2018 11:17:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519413461; cv=none; d=google.com; s=arc-20160816; b=vieoV+ySdGfRhXcUj9EMW7GBKFQFZZduVU/sMSK27xz00Jt3+rcwYdmFUQVxZTUHZQ Q33zd0Quk9irj8pxyhota+yjnNdUt8m1sWz3jMmkaIV8NDz6QtjdhzMm2HEPx+7Ze1oy vSeh1mbuEWfMQYgqDCaq2lkgIxx6vQBY2mWOnB7Laoaf5utZwPzwRAJqM1ue2ZeJa777 BnDWnhQIcdngtRKdVCf1qMBIVkeCy5Hb+68HYMOFzZyQ0MWsZHe0/nsTdv5SnE0BTt9S WEBv55pQnusUEu9cMbLqXnPGAkLUKSXYwCmmLbnDSLLuB0e1DjUZ8XuwCgTbttbWYlXI xboA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=KhTOrif3K/gWeA59BpXZXdnAwpwwUaZOUShTwV3PaTc=; b=JiPIh8EKB7ea3oOoDxI81lGpuNLQeC5oHl3wuC1pEqU73rIyticFdWfucc8wAAteeW HnwSkjhPXi38II7VMriVj891xDamfNJ+A+Ox7WyHP6nZX+C3Tudz3jguxBWUKVXVHJWJ oek1SxSCIxmy+rI1LMf4FQuP3aAjCjg0BOXEvnW6jYT5kVuN71s4o51Z4XeDL2D5tV+f LOUR/KQi1ziC+680Mj2fso7lRn8PmsTD50X/bsaEDnYuQlCdP0uHDaySXZUUIf5G6JOo inj0v/KBXR/Rk41WsnPt/XU+XzAOoieKoc2dntMXQqR2f5cr7SzGvBV1aaClrTKBry/W swwA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4si1830842pgt.331.2018.02.23.11.17.27; Fri, 23 Feb 2018 11:17:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965174AbeBWSz2 (ORCPT + 99 others); Fri, 23 Feb 2018 13:55:28 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:48230 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964838AbeBWSz0 (ORCPT ); Fri, 23 Feb 2018 13:55:26 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0995A128A; Fri, 23 Feb 2018 18:55:25 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 134/159] netfilter: xt_bpf: add overflow checks Date: Fri, 23 Feb 2018 19:27:22 +0100 Message-Id: <20180223170759.302965027@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180223170743.086611315@linuxfoundation.org> References: <20180223170743.086611315@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn [ Upstream commit 6ab405114b0b229151ef06f4e31c7834dd09d0c0 ] Check whether inputs from userspace are too long (explicit length field too big or string not null-terminated) to avoid out-of-bounds reads. As far as I can tell, this can at worst lead to very limited kernel heap memory disclosure or oopses. This bug can be triggered by an unprivileged user even if the xt_bpf module is not loaded: iptables is available in network namespaces, and the xt_bpf module can be autoloaded. Triggering the bug with a classic BPF filter with fake length 0x1000 causes the following KASAN report: ================================================================== BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0 Read of size 32768 at addr ffff8801eff2c494 by task test/4627 CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1 [...] Call Trace: dump_stack+0x5c/0x85 print_address_description+0x6a/0x260 kasan_report+0x254/0x370 ? bpf_prog_create+0x84/0xf0 memcpy+0x1f/0x50 bpf_prog_create+0x84/0xf0 bpf_mt_check+0x90/0xd6 [xt_bpf] [...] Allocated by task 4627: kasan_kmalloc+0xa0/0xd0 __kmalloc_node+0x47/0x60 xt_alloc_table_info+0x41/0x70 [x_tables] [...] The buggy address belongs to the object at ffff8801eff2c3c0 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 212 bytes inside of 2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0) [...] ================================================================== Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match") Signed-off-by: Jann Horn Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_bpf.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/netfilter/xt_bpf.c +++ b/net/netfilter/xt_bpf.c @@ -27,6 +27,9 @@ static int __bpf_mt_check_bytecode(struc { struct sock_fprog_kern program; + if (len > XT_BPF_MAX_NUM_INSTR) + return -EINVAL; + program.len = len; program.filter = insns; @@ -55,6 +58,9 @@ static int __bpf_mt_check_path(const cha mm_segment_t oldfs = get_fs(); int retval, fd; + if (strnlen(path, XT_BPF_PATH_MAX) == XT_BPF_PATH_MAX) + return -EINVAL; + set_fs(KERNEL_DS); fd = bpf_obj_get_user(path); set_fs(oldfs);