Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2271017imm; Thu, 7 Jun 2018 08:01:26 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKQ1stzBJX6sSZke+JnWT8E46NGsuAUGrAm4COU8Jau4qX/mXRFQR18OqNBFsgCHL9PzgIl X-Received: by 2002:a62:89db:: with SMTP id n88-v6mr2090299pfk.11.1528383686737; Thu, 07 Jun 2018 08:01:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528383686; cv=none; d=google.com; s=arc-20160816; b=r8TcIDt8xPvXQcR9WqIcShh2DDEd889e5KrIQ5JFjVSFYhmuQasy2ixFGsLEBqP5kT rUhW8XEAlQn0qxaH9unMHtajSbwrPyBLOUcuiRjnQOdGQxFUJUyGnfmM8//YNIWkKovT Bc8NUW0NiSHDXWtwlw+bxE5yxFbt3FFSQ78VS5Ffc5Eg2gFwT6XZMfL+qLRQexqCdxM8 TdiIldmSqy0aoEB2MP9ZyCJF8xEGFAGrahGnq+qDaxe/Ll875VKZ9ARrpYF+LHm9BV1U AzAoFt8HLkrn5ceSD4oRuAQSeeKTAaihE2SEcMgtqdSFuuE+EUQIQ9dmj6n5KBmSP7G8 3tug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=qdkm6G1vnu9FsODNLvJg5+0ccYwyFFqhwh35cZl9f/g=; b=P4hK7C3V5/KKdRGlKzlgABtOVsopIobPhYXvoMQCHBxSPF3S/8HuygkeTIIb3b1w12 kKeCqe+oDKQi40SU6cTT3MPCA8wGJBGTRSJ8AhCLcO9Y5NOvZaDXMOJRAyiKqkZ2gTGW 1OOP8iR0Dkzo+AXuVI+DaOyb0Vy2ejkiLPli5aUsOR5jodNUx6kNndy4JYBaHPhvl1Qq suC5Z+ZgEVPKkELmcQX8D9NOr5mokWWmB1sjDjAayrzRDAkds/k5oYDHayzoqW5kzQMs 46rBELcg5B0LB48PCpR8XaSYqlG7htxoDmgFCF6u3+nsgUieixtmATZ1Tiy7ruqZcHsU hMcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5-v6si54796753plx.517.2018.06.07.08.01.11; Thu, 07 Jun 2018 08:01:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935542AbeFGO6k (ORCPT + 99 others); Thu, 7 Jun 2018 10:58:40 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41197 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932568AbeFGO6f (ORCPT ); Thu, 7 Jun 2018 10:58:35 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbQ-0005Zp-7E; Thu, 07 Jun 2018 15:09:24 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvbC-0003Do-E8; Thu, 07 Jun 2018 15:09:10 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "" , "Florian Westphal" , "Pablo Neira Ayuso" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 344/410] netfilter: bridge: ebt_among: add missing match size checks In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream. ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings --- net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, return true; } +static bool poolsize_invalid(const struct ebt_mac_wormhash *w) +{ + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; const struct ebt_entry_match *em = container_of(par->matchinfo, const struct ebt_entry_match, data); - int expected_length = sizeof(struct ebt_among_info); + unsigned int expected_length = sizeof(struct ebt_among_info); const struct ebt_mac_wormhash *wh_dst, *wh_src; int err; + if (expected_length > em->match_size) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); - wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_dst); + if (expected_length > em->match_size) + return -EINVAL; + + wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_src)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_src); if (em->match_size != EBT_ALIGN(expected_length)) {