Received: by 10.213.65.68 with SMTP id h4csp514639imn; Fri, 16 Mar 2018 10:04:55 -0700 (PDT) X-Google-Smtp-Source: AG47ELuzRyT9CVEbtb9kvha4TXV71Ha/Kjt1Qkmq7EsSQhyPrQCfQ0TRtBmqmOMEZY2T/FzmrSOZ X-Received: by 2002:a17:902:7c15:: with SMTP id x21-v6mr2875321pll.3.1521219895416; Fri, 16 Mar 2018 10:04:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521219895; cv=none; d=google.com; s=arc-20160816; b=tU4s/G7VDagxkpWS7HLnG9Zz9rQOjEa+qrsr1iBFu+JphGkt9Ld/EBZ0bfL23Wn51O FeJdwzkN5K3jG4y39cMUCf6GxakRD5Ea6wY2AWSlKaLT62E45+cYv7+sKsqraj98RFsp mXp8VNIByYhDOBdBByah/ydUU3efdsezyp5RkzXS926TLZD8k1tMA/F5mpLe1EKgbnPx GLMLoNiT8WvW8DDOH4uegK/d/FoQI1hp7PLeUhs8w6p0ubJqC5NVSSv+jAWAh2gMB6H6 HNOujCvw7NmYZ8RuRVcLLMssq8IXOE39ol6ctS2raIuXlVaU4Q8vq7AsP72wujGCMpxi E0RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=3M+PaZ4m4G8kmNMvDWGimHmNhpWoqEO28JRZ6m4pX2s=; b=m2obPQZ/eBfuGIroMKSMAXe8Xj3Z75a8Vh1ukV7w3k/Z/1TpN9eDWoQ90GDC57En6j NM99QktmbYU6y/bAUtckbv/FXAygRc/4nVFhVUlL0sFNOaV5HsGdqpxvaSCWjaNQVqWx N9t4uhpyx8uTlrLkStkZDcSGkwqQhqIrJm0VBJSLToIMT79E8GvN7BET8deW1kNrMhvP DLDXLouJd7etQpuUc9/3IGcQZCfe0sWhESVQ/5BoJAOwsnNxYT6WLhYctrptPa9grmyE Lf0wzdl2WKWwHnQCuVj9AHsigqbkqOLQjNYR7v5F+Nldqd/kb1fW2l234KzoIKM3YLfZ 1nIA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u19si5705814pfk.128.2018.03.16.10.04.40; Fri, 16 Mar 2018 10:04:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933527AbeCPPcV (ORCPT + 99 others); Fri, 16 Mar 2018 11:32:21 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:37894 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932303AbeCPPcR (ORCPT ); Fri, 16 Mar 2018 11:32:17 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id C3A5A11CE; Fri, 16 Mar 2018 15:32:16 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fe0b19af568972814355@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.9 59/86] netfilter: bridge: ebt_among: add missing match size checks Date: Fri, 16 Mar 2018 16:23:22 +0100 Message-Id: <20180316152321.373471597@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180316152317.167709497@linuxfoundation.org> References: <20180316152317.167709497@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream. ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, return true; } +static bool poolsize_invalid(const struct ebt_mac_wormhash *w) +{ + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; const struct ebt_entry_match *em = container_of(par->matchinfo, const struct ebt_entry_match, data); - int expected_length = sizeof(struct ebt_among_info); + unsigned int expected_length = sizeof(struct ebt_among_info); const struct ebt_mac_wormhash *wh_dst, *wh_src; int err; + if (expected_length > em->match_size) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); - wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_dst); + if (expected_length > em->match_size) + return -EINVAL; + + wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_src)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_src); if (em->match_size != EBT_ALIGN(expected_length)) {