Received: by 10.213.65.68 with SMTP id h4csp444228imn; Tue, 13 Mar 2018 09:14:03 -0700 (PDT) X-Google-Smtp-Source: AG47ELtJqzT+/TKP60kEjqoAdb6v8TxwdMacKVg5UESacqwboySUSYxyrklya0m7dDuP3m4id/MT X-Received: by 2002:a17:902:be02:: with SMTP id r2-v6mr1054900pls.234.1520957643628; Tue, 13 Mar 2018 09:14:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520957643; cv=none; d=google.com; s=arc-20160816; b=wq3apAysd1M1q46qLu/r8IqbXhvbxCd8aGYlip0uFlPNJACzhomW7evhIFbkrGT89T sNIHbKKIOSFZtkIRwbVnAzGF4n8vrcD2CDkEnvpYGAh66cHzELWgXai9CJMDqxauaaOb b8cu+f5npdFtt0gf6fXxVNlqsL97XyBzOobz632uz+BAxKtQCypUyyanLTvn7YBcnKXC 0Bb/LO7S2aguUBtlEgccdPeL2PSaL5ylnqL11dhVVWc9ENJzK4mxtbwwLCTXaSWehaCe yCkKMm8gu/IzLO+QWGvTLHrbxIJ2WlWEN98z4JirFjQ6Ji3Fpns+thx6WFCegSDsRXqX 8p+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=rtE2mJCLpT+XjzJTffP4pOOxLGmnGU6kmzM6NL4M2CI=; b=pvV29SgOK7S3gU2QH1QvZO5mScMgFrJMe8J9NtaRgPrwrl6NeAqLM0cKzejoYLNUmm 7jTYWBMIqNfuUpu1Gd3r9mdZvRQ0i9d+gyJXLHtmSfAs36NJZE7soN5r1rmcGgRrUv8N +LUXvjgSoOzdOaUb5mED/4LOzCY1K2zf76fTCnFxlD/iPlOMjE3J5EnkTh1PshnlrAB3 GF5aBiuJQMUa5m8vFqIXq5fKFW2N6hsciKPVhOAFbpU3GmMIoRxrvVG0ImPxxIDnFxNX tD9m1wGUzpHBTMmUJplculUag5n/lztK7jLH2ygh4p2/HWtI2hHrlG8feLnaWw9rjYfC m7xA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bb5-v6si322996plb.407.2018.03.13.09.13.48; Tue, 13 Mar 2018 09:14:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934120AbeCMPf6 (ORCPT + 99 others); Tue, 13 Mar 2018 11:35:58 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33318 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933694AbeCMPfx (ORCPT ); Tue, 13 Mar 2018 11:35:53 -0400 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id B3A351163; Tue, 13 Mar 2018 15:35:52 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fe0b19af568972814355@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.14 016/140] netfilter: bridge: ebt_among: add missing match size checks Date: Tue, 13 Mar 2018 16:23:39 +0100 Message-Id: <20180313152459.210233474@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180313152458.201155692@linuxfoundation.org> References: <20180313152458.201155692@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream. ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, return true; } +static bool poolsize_invalid(const struct ebt_mac_wormhash *w) +{ + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; const struct ebt_entry_match *em = container_of(par->matchinfo, const struct ebt_entry_match, data); - int expected_length = sizeof(struct ebt_among_info); + unsigned int expected_length = sizeof(struct ebt_among_info); const struct ebt_mac_wormhash *wh_dst, *wh_src; int err; + if (expected_length > em->match_size) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); - wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_dst); + if (expected_length > em->match_size) + return -EINVAL; + + wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_src)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_src); if (em->match_size != EBT_ALIGN(expected_length)) {