Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2351904imm; Thu, 11 Oct 2018 08:57:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV60zZGRni0w34WvHDXP4ilRH/AVZIfJPWoxsGdopebpbrax9IhTUIlsIl7aaWy897QrK5ZtL X-Received: by 2002:a17:902:740a:: with SMTP id g10-v6mr2073794pll.198.1539273464987; Thu, 11 Oct 2018 08:57:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539273464; cv=none; d=google.com; s=arc-20160816; b=N4AkfSoabfUOoWy/HoDFVcSnCOpB5fbxeJNvzYdvuPGbbjLQ0QBdPGDitxO+swrJf3 irpLVakJQS8PoVnNQVWFgAKkZx45wfppA25iA+ZlLPwXKg7PThFr89jcXo5icv7artBb 5T1mu1gLPGOcaaom6U5WQ9sN7PNbGbKgMHhMmnS24migweSvO8P9CIXGf0v8JA4WXNmJ qhSgs7BGpJ6E90u5zosyqkwLb39zM3w6QPH+fdt1XdOtSnhrqK7cfJm7+RcSNTAcDaXn bCOyemiEsRnyNAveKxxVX7OmbuySih0CP78tDoWTCqXrYxEZPHfxhlcloi5TUUYz3/Ky 8OgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3Ai+MjcMY2C4W40WVVlxfwKGL0rp9B/WS5uYwPypFBo=; b=buOlx2au8CF+gvHZKhKrJuHX7fbeoINxH4dptTe7QfzVtLGPUuEa9JevmeTVR2DH8p Pgfw8lNmJzlA5UejXqdcrmUqXzbfmvSsanTTUbdfQ3ivK0iyDql+oktT5XTeB0VMu2QT guKvT1mWlw4fvovMuDs+MpE8pjCChVTwo3tyzY5aIhAbd+MFDw8DYJAwqN5ttq4P5tP/ OoEN6G8vTnQyx0lGSaaWtyvAyloYfqCrYfbKuCQ3Tre4Nkscb4YPRRjgYQNdyKSPybYU cFvsPbZgLgsg1L1atoAUwMLL5ru+ZVozDJXQ+5BjL2k56EgohRvWHWBo9AGLwbcmUZaz fQ3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dHrGYDqR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 93-v6si20298647plb.87.2018.10.11.08.57.30; Thu, 11 Oct 2018 08:57:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dHrGYDqR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730703AbeJKXKM (ORCPT + 99 others); Thu, 11 Oct 2018 19:10:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:41388 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726700AbeJKXKL (ORCPT ); Thu, 11 Oct 2018 19:10:11 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7959020652; Thu, 11 Oct 2018 15:42:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539272547; bh=591hZPbRn9IaiHuzcSTuVXLXSXLS9sScyikbKELH9aM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dHrGYDqRzjy4ptl/xz6nC/Dzih20PBqBTNFvrBzMqNmY3svbh/wUZov5WVEEVt9OH /laZHI4u7rITnOXNLkRFNK0KdThr7cD7NTwQR3eIRPQjJFiC6LY9Esdz0B9Mk9tFHT 42Y3KkaziZAQF+z3Ixeww7+/IiYcfxRqcS5gcd/E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Gao Feng , Pablo Neira Ayuso , Loic Subject: [PATCH 4.4 27/27] ebtables: arpreply: Add the standard target sanity check Date: Thu, 11 Oct 2018 17:35:14 +0200 Message-Id: <20181011152535.342308260@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181011152534.014964888@linuxfoundation.org> References: <20181011152534.014964888@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Gao Feng commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream. The info->target comes from userspace and it would be used directly. So we need to add the sanity check to make sure it is a valid standard target, although the ebtables tool has already checked it. Kernel needs to validate anything coming from userspace. If the target is set as an evil value, it would break the ebtables and cause a panic. Because the non-standard target is treated as one offset. Now add one helper function ebt_invalid_target, and we would replace the macro INVALID_TARGET later. Signed-off-by: Gao Feng Signed-off-by: Pablo Neira Ayuso Cc: Loic Signed-off-by: Greg Kroah-Hartman --- include/linux/netfilter_bridge/ebtables.h | 5 +++++ net/bridge/netfilter/ebt_arpreply.c | 3 +++ 2 files changed, 8 insertions(+) --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h @@ -125,4 +125,9 @@ extern unsigned int ebt_do_table(struct /* True if the target is not a standard target */ #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0) +static inline bool ebt_invalid_target(int target) +{ + return (target < -NUM_STANDARD_TARGETS || target >= 0); +} + #endif --- a/net/bridge/netfilter/ebt_arpreply.c +++ b/net/bridge/netfilter/ebt_arpreply.c @@ -67,6 +67,9 @@ static int ebt_arpreply_tg_check(const s if (e->ethproto != htons(ETH_P_ARP) || e->invflags & EBT_IPROTO) return -EINVAL; + if (ebt_invalid_target(info->target)) + return -EINVAL; + return 0; }