Received: by 10.213.65.68 with SMTP id h4csp524622imn; Fri, 16 Mar 2018 10:21:53 -0700 (PDT) X-Google-Smtp-Source: AG47ELsKlu4GMNZCOAUPIYlQXbqECxml+oqlB069goN5JcCgjhJV6/zqz6lJfZadkVq5MXe3oEDH X-Received: by 10.99.164.81 with SMTP id c17mr2092536pgp.114.1521220913053; Fri, 16 Mar 2018 10:21:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521220913; cv=none; d=google.com; s=arc-20160816; b=Ay++52AxPRCI0J/5y+cx9E+1k5bVjZjDt4yAzcfb81nqfG/9uanGQJNvEfzVca2BYS 6P5r0LhETEwnUr9pwSHE2F+nFE8irFSWN/sVZZc/Ch3oSMn0WG9Uqk3IU98AkvP/maEF BExp0pFQtmlfVRQA6EOsbX0Ub0H6z+rm0L+xLnTRzCVrb6Fbz6s81dhk0g4YdOXcWkBT T6TGMknUmY6T176rNWsIBtdZdPk9v0WpT6tGec2BMOTZYChOrkLNp2BZWQtE2z5KCV3J tlnVobioQ8DkBGHWcg7G8mgXG1F6rvn1g3jyVYVT09VTpNzl3/ruRlWthgJXh8MX8cN7 MH3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=6YUoOEBoMijOs9U7XvH+mwvwjXguUmfCsc2GlShbGZA=; b=WpJNQAyEccp+A5Hgm1hDh/zuZE4++QCb0aG52e72Af5kDdNNlW7m33MCCXoRbo2rho SPKyBu170PJRCWd3sVSVfS0C9yu0Bf5uQ0IX7yu62hekEda6aCpyGEWDygW2STBYNKJp gntF2bRZaduqBSd00pjnuhZbfqc0PeID0GFtv9Kq5Eel9ml4LJ7GlFNu8Dw11e/k4IHv YMAJ/VX19kOO5lm+ZP8bRqn1CRpw+BvGQznDBpx62f05zF5qWt49FzcCranDf9QiDbBE bWnd/6Sg+nVIarsJl/P7CwR1dCsOx1sgnHdRM1lJlVNhGHzmzJHZiP56djC6tdrFEPum 4KNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t11-v6si6330523plr.411.2018.03.16.10.21.38; Fri, 16 Mar 2018 10:21:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933150AbeCPP3x (ORCPT + 99 others); Fri, 16 Mar 2018 11:29:53 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:36264 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754277AbeCPP3t (ORCPT ); Fri, 16 Mar 2018 11:29:49 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 6161F1003; Fri, 16 Mar 2018 15:29:48 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fe0b19af568972814355@syzkaller.appspotmail.com, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.4 39/63] netfilter: bridge: ebt_among: add missing match size checks Date: Fri, 16 Mar 2018 16:23:11 +0100 Message-Id: <20180316152304.411245630@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180316152259.964532775@linuxfoundation.org> References: <20180316152259.964532775@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream. ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, return true; } +static bool poolsize_invalid(const struct ebt_mac_wormhash *w) +{ + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; const struct ebt_entry_match *em = container_of(par->matchinfo, const struct ebt_entry_match, data); - int expected_length = sizeof(struct ebt_among_info); + unsigned int expected_length = sizeof(struct ebt_among_info); const struct ebt_mac_wormhash *wh_dst, *wh_src; int err; + if (expected_length > em->match_size) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); - wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_dst); + if (expected_length > em->match_size) + return -EINVAL; + + wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_src)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_src); if (em->match_size != EBT_ALIGN(expected_length)) {