Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2343583ybz; Thu, 23 Apr 2020 16:24:08 -0700 (PDT) X-Google-Smtp-Source: APiQypK/5O4vy4VWAwWUs9K0ZSJByPfNgSKOCepiQXvSv6L9SFkbCbUSmcB22J8LHZFkfSbWZJJX X-Received: by 2002:aa7:cd08:: with SMTP id b8mr4757477edw.96.1587684248784; Thu, 23 Apr 2020 16:24:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587684248; cv=none; d=google.com; s=arc-20160816; b=BWbWGSjC7kJBS91WB1Ee2AJkESbhOONtz1OKgBa7iZ1CoJsry4jIZXGAc5NHZ2WYU2 oglHwv2nnH6NHQvZFHRvufod90S/NEJ6UvTfp2HN7dSMVlgB/BUzWf0dJGUMZYT6CtQA Xh8Y3kOzN52p0yNFs+nGCh8FJN4dEV6JeqTodW+5J4RLkVL4mzsdBnU80TWNGcGfLiNJ T/1huvFNDhHx1+yJbF7aMnqgMaUzxV+x9EieeykIeZVCFRP+TM4PYCH7gWGYCKBmjVFO MUXHdGTmFJh0KHQScU0+jd34RGhLgJ19gz+CZK0kya8HNZ//4iU0VTy9Eix9GAq2YyBx MAYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=xMmRGnJ140g73jEfeZkzd9G9rKp8AFFEPp4C93HDB4Y=; b=FMpJQgi+bsOTiDyfMkREgjz5W+HbvDTxeFNuGH7P2uwsJvNAOjd5VuP5/M6WTR5Ls8 1fIIT5iTptEaSNetp8Ik9113kmoEazICTLuLoJW2fCtY0rjlIExGdhuncXzSKXk51EnC /lCB64y4dxPRUDj8zYd0FzKNTM6P4ljSLLCTPvuWl8JtZ/upge9HNh+Jzz32QbY/Fex3 lflCRQsARWnoAXmapdF2i28BqoUagSJOwirhTh/+Sa83t875+FvZtg+BTs9kVRWDd0V7 YOyqEuB7uPmFuFUXB27jLg5ksLXIybXyNC9ABl/SAfGksTTvwhysCN0/9aLxURpBBlmA kjMA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f23si2208763ejf.414.2020.04.23.16.23.45; Thu, 23 Apr 2020 16:24:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729870AbgDWXUb (ORCPT + 99 others); Thu, 23 Apr 2020 19:20:31 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:48644 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728224AbgDWXGd (ORCPT ); Thu, 23 Apr 2020 19:06:33 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvL-0004bC-Sk; Fri, 24 Apr 2020 00:06:28 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvL-00E6jo-0i; Fri, 24 Apr 2020 00:06:27 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Pablo Neira Ayuso" Date: Fri, 24 Apr 2020 00:04:58 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 071/245] netfilter: nf_tables: missing sanitization in data from userspace In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Pablo Neira Ayuso commit 71df14b0ce094be46d105b5a3ededd83b8e779a0 upstream. Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it is still possible to handcraft a netlink message using this incorrect data type. Signed-off-by: Pablo Neira Ayuso [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/netfilter/nft_bitwise.c | 19 ++++++++++++++----- net/netfilter/nft_cmp.c | 12 ++++++++++-- 2 files changed, 24 insertions(+), 7 deletions(-) --- a/net/netfilter/nft_bitwise.c +++ b/net/netfilter/nft_bitwise.c @@ -86,16 +86,25 @@ static int nft_bitwise_init(const struct err = nft_data_init(NULL, &priv->mask, &d1, tb[NFTA_BITWISE_MASK]); if (err < 0) return err; - if (d1.len != priv->len) - return -EINVAL; + if (d1.len != priv->len) { + err = -EINVAL; + goto err1; + } err = nft_data_init(NULL, &priv->xor, &d2, tb[NFTA_BITWISE_XOR]); if (err < 0) - return err; - if (d2.len != priv->len) - return -EINVAL; + goto err1; + if (d2.len != priv->len) { + err = -EINVAL; + goto err2; + } return 0; +err2: + nft_data_uninit(&priv->xor, d2.type); +err1: + nft_data_uninit(&priv->mask, d1.type); + return err; } static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr) --- a/net/netfilter/nft_cmp.c +++ b/net/netfilter/nft_cmp.c @@ -201,10 +201,18 @@ nft_cmp_select_ops(const struct nft_ctx if (err < 0) return ERR_PTR(err); + if (desc.type != NFT_DATA_VALUE) { + err = -EINVAL; + goto err1; + } + if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ) return &nft_cmp_fast_ops; - else - return &nft_cmp_ops; + + return &nft_cmp_ops; +err1: + nft_data_uninit(&data, desc.type); + return ERR_PTR(-EINVAL); } static struct nft_expr_type nft_cmp_type __read_mostly = {