Received: by 10.213.65.68 with SMTP id h4csp445433imn;
        Tue, 13 Mar 2018 09:16:24 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvU2V/5A1T6M02bfNm5A003XUwM40n0FZAoD8bQ7UfLUNwV3e3PRSAqxbda5blc/+AE/2D8
X-Received: by 2002:a17:902:bc84:: with SMTP id bb4-v6mr1056417plb.317.1520957784914;
        Tue, 13 Mar 2018 09:16:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520957784; cv=none;
        d=google.com; s=arc-20160816;
        b=bpVX7VyIRxfMdCRtfqA3ztcV0BaAcnaLyXSW0lDnYLcQ3utSg3G3nKozyiP7NU4mTO
         qdTypDWa36Kzq6aYJK/Qu8RlZ6Ye4SyAj67aXLdWVFdxK9EkulyTdHqdrH9EIQJav775
         p8ylAsaYOfVmnyfUFjkoc7GBE65J/aVPAgdFboQmH+vTguEXatvEt56ixqDrBEQIFSug
         tj5rlSeYWyVXB/CKbBmNdQiqtjkSPdPWkeLWxznbkne5w1HrP3Xx+LkVfQMtTMbx31je
         OJNqVKuInNuHSisx1NkzMcpQjQRC9EQAwkFnEXEnRODunjpofdczpVz5CJ20ev+gTz+I
         Z3+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=b//iNS/R6SvqNr+VAquxk/3U5YoqUMyMFTkB5Nl6sSo=;
        b=zmNkYfnydv9afSoH8GwJ9Ytdt1qsT9ZItt0sSz9gF1SQfuJtwzO0OBSQBadLvt5Rxe
         CKsdzx9wo5R4/YSA0fyZ/3ZRgMw3Cur8XTcqDwBVXIm+XsT132HztbIHE/zu03cs/7c2
         qaNSkWi/+CaFiaUycYAxG2BlMy2bFe5Sp0++7Zdqy2+GvGYBo3o4D2bRfwnCxOQrupSR
         sXFVKGJFWaaCqidWi8sdi4938GGA66IawdiFEfZqRrbGOc3NNdXMZDJ/H2GC1y14A4eq
         xE9sIqqvragICc5sg0xyrnUqLH6yMHtbYM5dcgQ0m/CBrf7SYyqxWmlMJ59ea1VJwoko
         JNAg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c7-v6si274302plo.432.2018.03.13.09.16.10;
        Tue, 13 Mar 2018 09:16:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934042AbeCMPfj (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Tue, 13 Mar 2018 11:35:39 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:33216 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933991AbeCMPfg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 11:35:36 -0400
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7ED871144;
        Tue, 13 Mar 2018 15:35:35 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.14 015/140] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets
Date:   Tue, 13 Mar 2018 16:23:38 +0100
Message-Id: <20180313152459.139448737@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180313152458.201155692@linuxfoundation.org>
References: <20180313152458.201155692@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/netfilter/ebtables.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_eb
 		if (match_kern)
 			match_kern->match_size = ret;
 
-		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+			return -EINVAL;
+
 		match32 = (struct compat_ebt_entry_mwt *) buf;
 	}
 
@@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_ent
 	 *
 	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
 	 */
+	for (i = 0; i < 4 ; ++i) {
+		if (offsets[i] >= *total)
+			return -EINVAL;
+		if (i == 0)
+			continue;
+		if (offsets[i-1] > offsets[i])
+			return -EINVAL;
+	}
+
 	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
 		struct compat_ebt_entry_mwt *match32;
 		unsigned int size;