Received: by 10.192.165.148 with SMTP id m20csp530712imm; Wed, 25 Apr 2018 03:46:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/TxCGZkJgseTFZ/0cXrFEcmvn5i/DUKiiJ/CEVpHDmFBaD2JNk+cMD2++sOT2/eVa5x97L X-Received: by 2002:a17:902:2ac3:: with SMTP id j61-v6mr28185814plb.224.1524653184500; Wed, 25 Apr 2018 03:46:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524653184; cv=none; d=google.com; s=arc-20160816; b=ciY4J7gi/cv7NzL5fYPaYnT7AfS6ywxLiMBOAaIqKvamO/WolkrtFUjQZy6ckoz4cA 9QmWhC4AnnAtdLXXdE8THc8ofD8OjYa/E2jxWBV+LfloYWnQwMNgBGoJAqpFVclnlchp GvoyzcTG5xXEsZHPWyXTRUZ3lSW8Xtvm1Zy0bMKCpB/XdxQAX1OCe4h9h+prIkaf1t6K IijgrobUIXgUDfDr9NvS3aRjhtP7YWtJhLovTo7fplhMuottQljVVoAPtmIKf+6q/qlT KlpRTTkgQdv9xVsRT1CVgPVYIqta1GA6G0Rr9ity8nzVDu7iT7DwHR3MOCoGySepcT0X D1Aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Bm+xoc376NYgJB0VLVGMPOxgly92Zin4joxdiikpHUY=; b=w5m06tSAdTC1NsKsZf24yf0iC5ozUdPxk/t6693jx+Wg7kmBitWzB3kdDNqVPueLNj jGpNc4yappTt9sBYiL7v0c9M5TgTTMaIQWM5UUjAiGymG1RvMO1DkPlrN5+hu0K8pBdP m7rTeLGALaWDK0z8CofhxWB3D5bFqXubWmOfKFhlzP73S6kpE3maXMJbEkHhK0S+Zhiz oDF9QTKTmvAWKj3DdLNxdj6mSBCcTuBY43TrqNKmfpkTyZkw5XBz8zvpdlucoUKUZtmo RqtXx9O1L06ofD+y4+19FNPcUBcLqijjp4xu1i0pZeun+VbDvPcFkTnEU6m6OKARURE7 phFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s11si12943400pgp.680.2018.04.25.03.46.10; Wed, 25 Apr 2018 03:46:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754444AbeDYKot (ORCPT + 99 others); Wed, 25 Apr 2018 06:44:49 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:53396 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754397AbeDYKoq (ORCPT ); Wed, 25 Apr 2018 06:44:46 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 53A4F36; Wed, 25 Apr 2018 10:44:45 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.14 177/183] netfilter: compat: reject huge allocation requests Date: Wed, 25 Apr 2018 12:36:37 +0200 Message-Id: <20180425103249.619337009@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180425103242.532713678@linuxfoundation.org> References: <20180425103242.532713678@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd upstream. no need to bother even trying to allocating huge compat offset arrays, such ruleset is rejected later on anyway becaus we refuse to allocate overly large rule blobs. However, compat translation happens before blob allocation, so we should add a check there too. This is supposed to help with fuzzing by avoiding oom-killer. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/x_tables.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -555,14 +555,8 @@ int xt_compat_add_offset(u_int8_t af, un { struct xt_af *xp = &xt[af]; - if (!xp->compat_tab) { - if (!xp->number) - return -EINVAL; - xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); - if (!xp->compat_tab) - return -ENOMEM; - xp->cur = 0; - } + if (WARN_ON(!xp->compat_tab)) + return -ENOMEM; if (xp->cur >= xp->number) return -EINVAL; @@ -607,6 +601,22 @@ EXPORT_SYMBOL_GPL(xt_compat_calc_jump); int xt_compat_init_offsets(u8 af, unsigned int number) { + size_t mem; + + if (!number || number > (INT_MAX / sizeof(struct compat_delta))) + return -EINVAL; + + if (WARN_ON(xt[af].compat_tab)) + return -EINVAL; + + mem = sizeof(struct compat_delta) * number; + if (mem > XT_MAX_TABLE_SIZE) + return -ENOMEM; + + xt[af].compat_tab = vmalloc(mem); + if (!xt[af].compat_tab) + return -ENOMEM; + xt[af].number = number; xt[af].cur = 0;