Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2358818imm; Thu, 7 Jun 2018 09:18:37 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJmP/iqgOzGMZBWrv82XWQJOC3ni8nQ6Klk/Amcmz0gW9p8IDDJzthAZtkFrmMmJuKuI7Qa X-Received: by 2002:a62:4c04:: with SMTP id z4-v6mr2357573pfa.205.1528388317517; Thu, 07 Jun 2018 09:18:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528388317; cv=none; d=google.com; s=arc-20160816; b=Tzt7bs7DWsU8kiaYjJ1CdF3yfsxVrIvr27eU3aDs4y5II4Yol9JmzuCVzL5pd2VZPt YCLnT5du56l2faJlEy/4NDCQjAneziSTz5Ksa5XOge9g6PWIHhK9OWuaBSlGVbTVhORP xfM8QAVDKONwT820I9rRx/Vlpbrw6YOSLJeJ1g7q8iBrTEQlCVpF2Ba9Y5YyvUy/zL9W 1EVGNWRko12oLVti71dGbjr/hVgQ3HS0FDxecGtTYE+/g/RiLtDSnBuHyScu4WmSpi5A R2BW7zTtcinKw3D8NQjrrr6ykFd3hOj2AieyVwL7Vd5UNK38if5fZgSyzMacfGdX3aZ3 lHKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=o4fjFGiMdtmVw/Yxbk3miKB/3/ZNdiKUdgIiYVXSdXo=; b=0nBiQh9pk0J6EMNwMwrZ5wzZkf12hEzOf5cAbNz+lGiHdeAVmTxmTktvlkP0vyzmoZ GGcJGW+a+BWHV7Go48HOfMUPW4pnzmGVwx7HiEFZg4LbpE+rJl6WtKm8VBT+LfPEf1E2 StddiMJQHGfcyYx/hA94B3JZGhbkInNRjkSalenQVyHRhkvtvGgGuK/iCnG261/JZ/mb mU5+1SCVCQjLRb3f42W3DwUEOHNeitLn2+ZvMdTfhjMRdQEE+hkmf5mmM/w0IpTb6kzz UcPgaE6MUDpwZQydafFxQMJOeIMortxZRiwhInrW3tgEio2/b/7KmCzgvmKRQ9fZXiOw +CkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y65-v6si54306183pfy.230.2018.06.07.09.18.22; Thu, 07 Jun 2018 09:18:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936102AbeFGQPg (ORCPT + 99 others); Thu, 7 Jun 2018 12:15:36 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39115 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932899AbeFGOI6 (ORCPT ); Thu, 7 Jun 2018 10:08:58 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvay-0005Zx-Hl; Thu, 07 Jun 2018 15:08:56 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvax-0002hD-HI; Thu, 07 Jun 2018 15:08:55 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Florian Westphal" , "Pablo Neira Ayuso" , "" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 015/410] netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings --- net/bridge/netfilter/ebtables.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2010,7 +2010,9 @@ static int ebt_size_mwt(struct compat_eb if (match_kern) match_kern->match_size = ret; - WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; } @@ -2067,6 +2069,15 @@ static int size_entry_mwt(struct ebt_ent * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size;