Received: by 10.213.65.68 with SMTP id h4csp736158imn;
        Fri, 6 Apr 2018 08:04:24 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+QtNGCO9MXOucInMALIpP/TgkkxCAdF0t42DllVYLqotu0oxJkcSiF1iSbdTJ5f0k6nXH+
X-Received: by 2002:a17:902:9892:: with SMTP id s18-v6mr11485976plp.95.1523027064369;
        Fri, 06 Apr 2018 08:04:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523027064; cv=none;
        d=google.com; s=arc-20160816;
        b=xEZZk1lYyYcczqRrGCVd1axVVMNn0PcN5mjtQMTBc2rnY8g+z7Zgkgibzu8e85K3UP
         08WxWrIqfgc2uqJfmku7ml6PreJD8sgt4RlSTKuMLoBrzBcCe/GWXc/dXWZmKQhu1FjU
         JAO1HwVydYa7eDipsWdA/NDgOiBivWPXes/P11c+zX2SH6No0qB3OoThplpJgQ39AI1w
         fe1GizrBBMLtJk+a/JE1JEZF+lZs/8+K7InWEKeBzJ5weWeacEAV9jFYaJjSwLuuYDIq
         Z2A8EV4mZgPIRRMyrWO3U0ueWrd5Dk2HlkF5TLil7bQD8lUJGwztjj9t+NCfx1ghlE23
         gUTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=UMK+7xDn0S//kB43lZ+pzdkTKFEU2VVG7XmTpkDnEz4=;
        b=DGScWKLSSTZr+zeIh+XPv2YSwHnI3Jl6Cz+4Z0EKNgdhnnqzMpZQAaNS3fGF9lWP9H
         moqHfNgK3tGBCMSRLiF8EoDma1Lrhm4PZtvfwbYps3CwbVeGIHLjJhcglbDwKomKop1h
         d3F7pW8/aoORrPCr5Yl04xEKPXhggAyoI90Kp0A9qgwvzfmgwJQb+NRLkWrcLIkdHwSb
         7gBNe4eNlGbt6UaDcD8hdUn2SfhHT6SssQod3TjzCevMKtruTpzLazhy5NLA6i9edxu8
         3Zu1DjJ1Gn33rvKflGPsmtWeBstkalbkwG60awhdX7RcHGpKBIE5LhlhinNG89RSzvSy
         XsnA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l18si7235189pgn.744.2018.04.06.08.04.10;
        Fri, 06 Apr 2018 08:04:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754985AbeDFNat (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Fri, 6 Apr 2018 09:30:49 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:56242 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754969AbeDFNar (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 09:30:47 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9ADF0D54;
        Fri,  6 Apr 2018 13:30:46 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com,
        Florian Westphal <fw@strlen.de>,
        Eric Dumazet <edumazet@google.com>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.4 39/72] netfilter: bridge: ebt_among: add more missing match size checks
Date:   Fri,  6 Apr 2018 15:23:40 +0200
Message-Id: <20180406084308.406734744@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180406084305.210085169@linuxfoundation.org>
References: <20180406084305.210085169@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit c8d70a700a5b486bfa8e5a7d33d805389f6e59f9 upstream.

ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.

v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part

NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.

Tested with same rules from the earlier patch.

Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bridge/netfilter/ebt_among.c |   34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struc
 	return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
 }
 
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+	if (off == 0) /* not present */
+		return false;
+
+	if (off < (int)sizeof(struct ebt_among_info) ||
+	    off % __alignof__(struct ebt_mac_wormhash))
+		return true;
+
+	off += sizeof(struct ebt_mac_wormhash);
+
+	return off > len;
+}
+
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
+{
+	if (a == 0)
+		a = sizeof(struct ebt_among_info);
+
+	return ebt_mac_wormhash_size(wh) + a == b;
+}
+
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct ebt_among_info *info = par->matchinfo;
@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const stru
 	if (expected_length > em->match_size)
 		return -EINVAL;
 
+	if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+	    wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+		return -EINVAL;
+
 	wh_dst = ebt_among_wh_dst(info);
 	if (poolsize_invalid(wh_dst))
 		return -EINVAL;
@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const stru
 	if (poolsize_invalid(wh_src))
 		return -EINVAL;
 
+	if (info->wh_src_ofs < info->wh_dst_ofs) {
+		if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
+			return -EINVAL;
+	} else {
+		if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
+			return -EINVAL;
+	}
+
 	expected_length += ebt_mac_wormhash_size(wh_src);
 
 	if (em->match_size != EBT_ALIGN(expected_length)) {