Received: by 10.213.65.68 with SMTP id h4csp455179imn; Tue, 13 Mar 2018 09:35:11 -0700 (PDT) X-Google-Smtp-Source: AG47ELuZAGWrTjnJ387wDb+zeJwSRX9kIlAbAYrAvoHGXJNuE7iGO2Kn387703gwOtMoz8pwaJiC X-Received: by 10.167.131.199 with SMTP id j7mr1169171pfn.99.1520958911655; Tue, 13 Mar 2018 09:35:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520958911; cv=none; d=google.com; s=arc-20160816; b=nF29Pbm2yZxniVFzlrD2pM92irLkSvTjEqhx8x876F4TUXNNPRzcSIEs2NKVnt8fsR wqLzEz9CFBlhuRziz+TCGMMHRxosPsvBksglzAWfXHa2gyn1yDCJc8e7DH/HxvL0U7LG RXs8jJOVcHSdMkIuJmJ2XGMRlhS8zjUx4TC0IY4nJWctC2eeD/p05l0fZcBz+z6RAjYX nVZTxSWLBbJ2mppGI4NCp2IlkWQ43jhu3eJp4tS36uYsTedPlkXm7mTwL7Jm837cPg89 HpTgoCGRRuU9rsQP8d/zKEEotmUnh2z56O5s4miuj9GNap2nNDkFsGrSwyo8l1qXLEwU SC9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SdEJvl/f08az14u02qqkxCLX7qcvsJuX+LhopR1Ebjk=; b=EYpyxkAi/8ezR4+1gfy865avg40RKkGePqHupPChZu6NWUsmL4U53SLTi5tRoHfBZR fZr6488fUyOx+77pRh4FNaRVfaus4T+4TzDg9jA/r+MoMhUA6Gop0z5Ew7Uj/oNMREFn H2EJio/p1ef1YbjvyZINtzoWNJPxhnFFh2iaIisOeDG0Ys5WfR722whOVTUCf6yKkZz9 xdzREcuV7pP8GOZrZ2nyrbnG8GaP4FV9VWsYGxNZJfMdfaV0Vtl7HZzRFY0GtRgIk+z8 1xm2C0QKi95xVGqqvOrz9EJHBmuD8mg5vI7M4c+K39p9X2sb5q0IYrhEfKVOeEiDQ3wX //2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y8-v6si281356plt.378.2018.03.13.09.34.57; Tue, 13 Mar 2018 09:35:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753121AbeCMQdM (ORCPT + 99 others); Tue, 13 Mar 2018 12:33:12 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59926 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933433AbeCMPcx (ORCPT ); Tue, 13 Mar 2018 11:32:53 -0400 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A0D4C11A9; Tue, 13 Mar 2018 15:32:52 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.15 114/146] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets Date: Tue, 13 Mar 2018 16:24:41 +0100 Message-Id: <20180313152329.183444087@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180313152320.439085687@linuxfoundation.org> References: <20180313152320.439085687@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/bridge/netfilter/ebtables.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_eb if (match_kern) match_kern->match_size = ret; - WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; } @@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_ent * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size;