Received: by 10.213.65.68 with SMTP id h4csp463102imn; Fri, 16 Mar 2018 08:30:34 -0700 (PDT) X-Google-Smtp-Source: AG47ELsO/wAKb+4JRNOcQG1jE3lERxu8F5PbbxIEF3hNuDKLJ0IFCPkd8BWqdj1fd6Mnj+ONn0IK X-Received: by 10.98.81.133 with SMTP id f127mr1928987pfb.20.1521214234045; Fri, 16 Mar 2018 08:30:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521214234; cv=none; d=google.com; s=arc-20160816; b=GE0KU3ytTLqNY2NkwNUaras28dbDgqrqh25t1FjFKPbo2iR0Ol6JPkeFi3l77vvYVN fCoeBhKCnBfvKs4juD0EAK8idd3K5xfHQgfIhwHD3fM1mgdtX9YdTavQmnhDius6ZAgE 45PV2qzbJnPxOdfcC6pr49LFQp5x9/dBBVqPEMfpPQ12VE2X3+vYGwgg+Q+wUg9wktdt pUZppaYKhf0deABB6MTfm3jvMpASSUydhz0nIhxDydYzFCOVpyyFjaChxlq4XZ0bE4oL 2kX3R2+v8819LqrFnkwe8OMNRJrVaUhdgfsFvI0z5hzpl3jd6nJ+vXNn4iKDJVJNSYNu a2uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=L6UxLQ9nyPBpZNW6/+ZUeoDt9y/lfNoT0eoRotC9ruI=; b=MbVGHtpieVaSJR228lpj1vvP3pD9JcTLbhoSIiNxVsBieAENH+00b9PMrklfNQZgqY jO5eiLrVt346Och6vXkBfUMAsXuRYnd2vh0A293IFAsRaymCp2TwVhY3o4oNHJImL/t0 5HJnsFo+UYUd2SbkYAhogR/SAJqgCdVFXUoHIQqTATOUdBqOvF0fLfsJsGEsII+CAKft 03N3WyestzbcyXl3EE7aLNHDv5M29kSGdFK9BbYslefskVz8kcviodKJBzzyDcekTlyh yN4nspkqoI/t41DqRPYJao2ZSaQ6QcOgLJbgJ3DnqaXtdZrsyVOWtCgAb0xVqKnpqhwp PSqg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b63si1715925pgc.72.2018.03.16.08.30.19; Fri, 16 Mar 2018 08:30:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754307AbeCPP2S (ORCPT + 99 others); Fri, 16 Mar 2018 11:28:18 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:34994 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754298AbeCPP2P (ORCPT ); Fri, 16 Mar 2018 11:28:15 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8F4BA1257; Fri, 16 Mar 2018 15:28:14 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.4 38/63] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets Date: Fri, 16 Mar 2018 16:23:10 +0100 Message-Id: <20180316152304.286711058@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180316152259.964532775@linuxfoundation.org> References: <20180316152259.964532775@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/bridge/netfilter/ebtables.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2021,7 +2021,9 @@ static int ebt_size_mwt(struct compat_eb if (match_kern) match_kern->match_size = ret; - WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; } @@ -2078,6 +2080,15 @@ static int size_entry_mwt(struct ebt_ent * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size;