Received: by 10.213.65.68 with SMTP id h4csp455422imn; Tue, 13 Mar 2018 09:35:41 -0700 (PDT) X-Google-Smtp-Source: AG47ELvPgn+PVinctaBljM8rGNmNE2nSbGSMmP3tkQPHS5ZbRZL1PIG2o9lAdKjNjJ7U4nTet1mY X-Received: by 10.98.82.144 with SMTP id g138mr1158475pfb.239.1520958941688; Tue, 13 Mar 2018 09:35:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520958941; cv=none; d=google.com; s=arc-20160816; b=xF/qLfbJKimQqX7Eob5KL7Nzj79noYfUjGLZLOD1M4+9KxcgGVPDf0IrUPeT3jfuTP MpBp2yK1TE5lg+8p+E7Sg685uXK35MCIce6pOsIpOgDRNC/xhhtx/R8n77p73nVll9ef KqSIzNWYcdiUrr//QLLJ/1jpp3tzjx4bwbedtsN5aHzHCzVyaNlOyrIy+WT1pl7+Njys DqKQqjOutquE+GsBL45LWjXpBnMUxHZKKM+KsjCC5rB9FtVLObkXuiwiqYlduNu2ax8s 6aYSyUx1hYzrjQ3P+ftY1gtd+jvOv4L7kVjsoeOPR8r5NB8HQlCVlUpZC3W/beoJKn/Y 7fog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=7amyJLc+X9oABqncWddgiciWta9pZPHOiwjkkpr/iTE=; b=J6Ow2hVY97aQ6GgxJPIjYo8HQWC4ijOCPJNrtfuGyMI5DbJK/0hYIf09UPNDq18Ynr RPF9k1PFOWt8U4vBH/CmOmlXJ0eNiOmInC8vYg7HF7pCRYqIDmqCQjI0eJshCFbGy9j7 XUnjA+ou0ZFwQz19twcwolPbWIfyGYK+j9aCKEJ6EZstvUvuTTIb3DImRYUYLFNqvhXQ k5J2uO+kLrb27ayMRVMBIGzH8gQkW0NEcrQhLHXJhtA/MaaEeg6oU8WKHJUc/xYNze1p gpiKjH4YrK6unEnIyItH2eDFkG7p78FOvUJE9sNdjJDxCgLWYYW1DQmmLqhNYhukQGPO GEuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12-v6si312538plo.170.2018.03.13.09.35.27; Tue, 13 Mar 2018 09:35:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933463AbeCMPc6 (ORCPT + 99 others); Tue, 13 Mar 2018 11:32:58 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59936 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933096AbeCMPc4 (ORCPT ); Tue, 13 Mar 2018 11:32:56 -0400 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7FD321220; Tue, 13 Mar 2018 15:32:55 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fe0b19af568972814355@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.15 115/146] netfilter: bridge: ebt_among: add missing match size checks Date: Tue, 13 Mar 2018 16:24:42 +0100 Message-Id: <20180313152329.256652776@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180313152320.439085687@linuxfoundation.org> References: <20180313152320.439085687@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream. ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, return true; } +static bool poolsize_invalid(const struct ebt_mac_wormhash *w) +{ + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; const struct ebt_entry_match *em = container_of(par->matchinfo, const struct ebt_entry_match, data); - int expected_length = sizeof(struct ebt_among_info); + unsigned int expected_length = sizeof(struct ebt_among_info); const struct ebt_mac_wormhash *wh_dst, *wh_src; int err; + if (expected_length > em->match_size) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); - wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_dst); + if (expected_length > em->match_size) + return -EINVAL; + + wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_src)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_src); if (em->match_size != EBT_ALIGN(expected_length)) {