Received: by 10.213.65.68 with SMTP id h4csp515176imn;
        Fri, 16 Mar 2018 10:05:49 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvNlOT5AqiUsUHg/gWJeKXM2WeJWWsG5PIGifOso48/21fzfxYEKSi3azM8T48sHKZVnTRR
X-Received: by 2002:a17:902:684a:: with SMTP id f10-v6mr2884049pln.129.1521219949046;
        Fri, 16 Mar 2018 10:05:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521219949; cv=none;
        d=google.com; s=arc-20160816;
        b=Vzkisoa4CAb6X/reHUY/qOlTczSTlCi4kLrf0G6aAYdS2x4JIVO9/lkjpL1MvRWvfW
         OuJufbrDAwxZZPXh9282vMWAdv+mX5ZW56zaImHLp2ZFRLUj8UtYGz0Kh898K20jLkXi
         8V2EyGfobfk0S9ICxSgZjQ/vZg7l1Ovtc1PYMAuYTiTRLDoB/d4o8RL2ZevJpmq5Wi73
         kUanEhjsyl9SN5C370frX+ix8VSYIcJPwQ5/RYrBkorzJccVHBP+G7UzYszlLTCDbUq5
         tpB9errlE2FOxMxThQG8HfD0aM+z4YTEyJlBdBdNxyzZEnYmmZ8lPPwWMmSS7XVy/T9P
         Yi6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=9bQ4q5mHygtxe85xGfI+RCPDd9pbzKO4JZQbzvUyD5Y=;
        b=F/vAQW2gWsEbonxIUjgH80rHJQFqewBbC7heClsDGe9eCKHBioHTyIWcrRc7GK/QCi
         5CkKSYitbrHarlmHMiXv6gCRwiaOeXojs1BpoOveVtiQ3YlaWKIQR7/ppPdn3RmvEYAY
         /940slbS1et+5sbZZNudjjYm8HoTfbgmyaZD4RlkfbNp/2nTYaR91HSSCbYgfVVeRp7l
         xlyrUUXVsEcSX/aaT6hODUfzdF0THSMQv/uiuv4BI6q+9qaEJ2/7H2piDW7Bnggt736D
         JTWVhrIHu1+Ps+kPS3jSFm1FPgTQbtSmZmM8Zoiu4OFTzoDXyRmfF68Z0bisVWiNqbiR
         PvWg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m5si5120792pgv.487.2018.03.16.10.05.34;
        Fri, 16 Mar 2018 10:05:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933277AbeCPRDe (ORCPT <rfc822;carmate383@gmail.com> + 99 others);
        Fri, 16 Mar 2018 13:03:34 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:37850 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933504AbeCPPcO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Mar 2018 11:32:14 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id EE2411162;
        Fri, 16 Mar 2018 15:32:13 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.9 58/86] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets
Date:   Fri, 16 Mar 2018 16:23:21 +0100
Message-Id: <20180316152321.326160653@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180316152317.167709497@linuxfoundation.org>
References: <20180316152317.167709497@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/netfilter/ebtables.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2031,7 +2031,9 @@ static int ebt_size_mwt(struct compat_eb
 		if (match_kern)
 			match_kern->match_size = ret;
 
-		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+			return -EINVAL;
+
 		match32 = (struct compat_ebt_entry_mwt *) buf;
 	}
 
@@ -2087,6 +2089,15 @@ static int size_entry_mwt(struct ebt_ent
 	 *
 	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
 	 */
+	for (i = 0; i < 4 ; ++i) {
+		if (offsets[i] >= *total)
+			return -EINVAL;
+		if (i == 0)
+			continue;
+		if (offsets[i-1] > offsets[i])
+			return -EINVAL;
+	}
+
 	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
 		struct compat_ebt_entry_mwt *match32;
 		unsigned int size;