Received: by 10.213.65.68 with SMTP id h4csp455179imn;
        Tue, 13 Mar 2018 09:35:11 -0700 (PDT)
X-Google-Smtp-Source: AG47ELuZAGWrTjnJ387wDb+zeJwSRX9kIlAbAYrAvoHGXJNuE7iGO2Kn387703gwOtMoz8pwaJiC
X-Received: by 10.167.131.199 with SMTP id j7mr1169171pfn.99.1520958911655;
        Tue, 13 Mar 2018 09:35:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520958911; cv=none;
        d=google.com; s=arc-20160816;
        b=nF29Pbm2yZxniVFzlrD2pM92irLkSvTjEqhx8x876F4TUXNNPRzcSIEs2NKVnt8fsR
         wqLzEz9CFBlhuRziz+TCGMMHRxosPsvBksglzAWfXHa2gyn1yDCJc8e7DH/HxvL0U7LG
         RXs8jJOVcHSdMkIuJmJ2XGMRlhS8zjUx4TC0IY4nJWctC2eeD/p05l0fZcBz+z6RAjYX
         nVZTxSWLBbJ2mppGI4NCp2IlkWQ43jhu3eJp4tS36uYsTedPlkXm7mTwL7Jm837cPg89
         HpTgoCGRRuU9rsQP8d/zKEEotmUnh2z56O5s4miuj9GNap2nNDkFsGrSwyo8l1qXLEwU
         SC9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=SdEJvl/f08az14u02qqkxCLX7qcvsJuX+LhopR1Ebjk=;
        b=EYpyxkAi/8ezR4+1gfy865avg40RKkGePqHupPChZu6NWUsmL4U53SLTi5tRoHfBZR
         fZr6488fUyOx+77pRh4FNaRVfaus4T+4TzDg9jA/r+MoMhUA6Gop0z5Ew7Uj/oNMREFn
         H2EJio/p1ef1YbjvyZINtzoWNJPxhnFFh2iaIisOeDG0Ys5WfR722whOVTUCf6yKkZz9
         xdzREcuV7pP8GOZrZ2nyrbnG8GaP4FV9VWsYGxNZJfMdfaV0Vtl7HZzRFY0GtRgIk+z8
         1xm2C0QKi95xVGqqvOrz9EJHBmuD8mg5vI7M4c+K39p9X2sb5q0IYrhEfKVOeEiDQ3wX
         //2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y8-v6si281356plt.378.2018.03.13.09.34.57;
        Tue, 13 Mar 2018 09:35:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753121AbeCMQdM (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Tue, 13 Mar 2018 12:33:12 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:59926 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933433AbeCMPcx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 11:32:53 -0400
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id A0D4C11A9;
        Tue, 13 Mar 2018 15:32:52 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.15 114/146] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets
Date:   Tue, 13 Mar 2018 16:24:41 +0100
Message-Id: <20180313152329.183444087@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180313152320.439085687@linuxfoundation.org>
References: <20180313152320.439085687@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/netfilter/ebtables.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_eb
 		if (match_kern)
 			match_kern->match_size = ret;
 
-		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+			return -EINVAL;
+
 		match32 = (struct compat_ebt_entry_mwt *) buf;
 	}
 
@@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_ent
 	 *
 	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
 	 */
+	for (i = 0; i < 4 ; ++i) {
+		if (offsets[i] >= *total)
+			return -EINVAL;
+		if (i == 0)
+			continue;
+		if (offsets[i-1] > offsets[i])
+			return -EINVAL;
+	}
+
 	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
 		struct compat_ebt_entry_mwt *match32;
 		unsigned int size;