Received: by 10.192.165.148 with SMTP id m20csp578496imm; Wed, 25 Apr 2018 04:35:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqaAdniVnBT1LNVpAb5zLWhayWDatdaP/Y+8xtVC2DDRFhg0bn4gdjAcLyASCh6rgNHr/3P X-Received: by 10.98.159.202 with SMTP id v71mr3409651pfk.233.1524656139376; Wed, 25 Apr 2018 04:35:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524656139; cv=none; d=google.com; s=arc-20160816; b=ToFFnDABBhvcBlQB7WchnNhhGU1E5MEpMmYT1Kb/+W/8dZi+DiEOpVKzcZepDMYQEK fOR5weANLX5NG7uVfLFkfO6gNTu5Z7FDTEmCbkpoeXvRIZgWaKAyQuvoI4dYvesbZ4vO uvJDhB9Nq7H/mlKulhm4KB+sLlCFilVggtBkLyBJGXpS+Zt6HLrNjmRAdXU+MxCUxH9h yDZrPm7eSVXIXavVwwSdY3OEWYRHd0rhXUXvn7Bc6glze3/+4svTVe0eD8njTZa3s5kW KX7qcyuccb/mAfwNmT3agRb0nTJnzfYFicyeoJbB385WauKbdoc48wig0sTmiQSg1QQc cAxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ul8VM9DVGl35A5MAhGRWZQm4lFfKAYfSdqK3qxCIf40=; b=hjRQ5Ks6gFrtSknjHI3SAa8gcEa6aJ/tzslrfp1GMISNqDrYrLPd+og6kh7p3gbqb0 2Z7nfV8yQmhdxsBgHxRyOrpziqASbCHU8usgdZmZw5Q60X9msiOd5byfVg0Ll6QU9uOb Gli++f3QT0XOoxNxg6+peASdvLLphvuUT5oCn/b02k+uShohQWcS8OcZgQuzPTiX1q0O R6sFrux2cQtWveRtcOxDwmIRd0qVU5+ln0Hx/U27ljLocA9KQOUGjvZTox93xdeWBlwn oZGJX+N0qVrtiqi+wle3qJij93mPPZ8Eg3q9WW8vtCMZXaonCcuRCdCZfLYZtoHRA+da 8kXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h4-v6si16696023pln.468.2018.04.25.04.35.24; Wed, 25 Apr 2018 04:35:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753247AbeDYLeY (ORCPT + 99 others); Wed, 25 Apr 2018 07:34:24 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:50852 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752732AbeDYKe1 (ORCPT ); Wed, 25 Apr 2018 06:34:27 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4FE1749B; Wed, 25 Apr 2018 10:34:26 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 4.16 21/26] netfilter: compat: reject huge allocation requests Date: Wed, 25 Apr 2018 12:33:30 +0200 Message-Id: <20180425103315.691904897@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180425103314.842517924@linuxfoundation.org> References: <20180425103314.842517924@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd upstream. no need to bother even trying to allocating huge compat offset arrays, such ruleset is rejected later on anyway becaus we refuse to allocate overly large rule blobs. However, compat translation happens before blob allocation, so we should add a check there too. This is supposed to help with fuzzing by avoiding oom-killer. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/x_tables.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -554,14 +554,8 @@ int xt_compat_add_offset(u_int8_t af, un { struct xt_af *xp = &xt[af]; - if (!xp->compat_tab) { - if (!xp->number) - return -EINVAL; - xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); - if (!xp->compat_tab) - return -ENOMEM; - xp->cur = 0; - } + if (WARN_ON(!xp->compat_tab)) + return -ENOMEM; if (xp->cur >= xp->number) return -EINVAL; @@ -606,6 +600,22 @@ EXPORT_SYMBOL_GPL(xt_compat_calc_jump); int xt_compat_init_offsets(u8 af, unsigned int number) { + size_t mem; + + if (!number || number > (INT_MAX / sizeof(struct compat_delta))) + return -EINVAL; + + if (WARN_ON(xt[af].compat_tab)) + return -EINVAL; + + mem = sizeof(struct compat_delta) * number; + if (mem > XT_MAX_TABLE_SIZE) + return -ENOMEM; + + xt[af].compat_tab = vmalloc(mem); + if (!xt[af].compat_tab) + return -ENOMEM; + xt[af].number = number; xt[af].cur = 0;