Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2386130pxa; Mon, 24 Aug 2020 12:40:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjx9Qv/UUgF8VKquu/PZogMCmhmBAcegAYWuP+chLIb9H2TJJsf0OvocUDQ2/93w56PXvR X-Received: by 2002:a17:906:3e06:: with SMTP id k6mr6954799eji.37.1598298022504; Mon, 24 Aug 2020 12:40:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598298022; cv=none; d=google.com; s=arc-20160816; b=COytQDtt8C4GaUxAD7gspX62wcSgSBormqbIDGWBN3aj8x5aMxui3fyaYvxRCsD+24 XomrHtUgV/jffE9HTYfR9GZfOcBt0F6PAeZtl1ZV1bdyVfHEg8dXekMUSwgC2SAOuw/r snnRdzmMBxr2uzBta24h218FXNxogw+EnxRv/vEZBqWFIEAIjP6tdKq+u1CkxioBxp5X 5meeS+YCmL9SrgRRA75AcX5/exqHTR8k6JhzB7Jf7Cwaj/05MpPfrbWaAlEHJgNf1vJl 53MrpbkNDrGc7C3UWSiuvjYP78gGuaGChH9TofYUv+MxG5Gg2PlPaYNTjcKi3Qkj47iN i0mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=g4pL4sVyrmOHm7d8P2FtckN7sUsE1ULTw8xRTNRh+SI=; b=NcYnmaFJPHvQK/LkYijtnbYV2KcJyetJEPsUzaOdHxK3ulj/ltsXDCXV2RreVsXaT3 X2Vmb/3GAFC734cg+9HUl5Po8ehrgrUgeyMh6ZpgYzL3wnL++ye09m9EH2THP4zCIvUF TW1Ma09Q3UmYaVJFOnBcrNnMT4XHtV/QX9UKGhGAUkkW40zalh+6LSiMtiG9ANvLk/xD 8/MNz5TSymNPqoEWHKDZDyJcSPcvF1s4MLnASosGHyF07W/OJxZDXbVSAswS+WFX1dK6 KVZMNxf09S96QOyGg/n3IpyK4VFdn0S5IAWLySL0FwTDcJtChNTMsMBmuBG7gV9ADFBA ti1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b="CoV/L53m"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d1si995785edq.421.2020.08.24.12.39.57; Mon, 24 Aug 2020 12:40:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b="CoV/L53m"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727050AbgHXTjA (ORCPT + 99 others); Mon, 24 Aug 2020 15:39:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726051AbgHXTi6 (ORCPT ); Mon, 24 Aug 2020 15:38:58 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42752C061575 for ; Mon, 24 Aug 2020 12:38:58 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id l67so11754841ybb.7 for ; Mon, 24 Aug 2020 12:38:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:in-reply-to:message-id:mime-version:references:subject :from:to:cc; bh=g4pL4sVyrmOHm7d8P2FtckN7sUsE1ULTw8xRTNRh+SI=; b=CoV/L53mwlQU4CmFv+qyfNTZJqXqwvTa0hKuq5T9gfLT05XMqzwM+AiGNQ2LPdOOSL djCoEUi6/nIJ0xI0ldNXvhw+jSelLMQA/N+/QLUdCIQ/mBxOdJMO0OEaFHoV9JNOfvJ8 zOVbX7q4qMmz9OdrnQRYYpapzeAuvgHYeRNvbT0hi4hpqV6k86Yw8EeAqDsKEy8cDOIz p86j1+a8DcwbanlYBPSIKF+JcVwH4PJGPLhCef6gKKTawRbAq8YsOWovfsUD2apLiVly wxVsvt3Fn9tOgClVYY+Iet4yYT5mCmB2KtcU9xd0PliAWN0Ji5wZRmuVIhF1c0MBAtC4 +k8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=g4pL4sVyrmOHm7d8P2FtckN7sUsE1ULTw8xRTNRh+SI=; b=ELXHuSfN9M5fKwwpnFRdx4XnSG0KwUcnMA5QlwfxJZ6NEvZD05lJCqLj6Y+Sy9CC4R 7KZK7Nj8FuzbNdJ2OX+20NFg/UAKsp9S4wiT0yC8PKhf9mwXvSUH/VMGcfjJi0W2MnzZ dTjfcya96QPdqcCIz4bOMDPkhZ8WRZMJbGUzPUHEScQlSUcs7hVn/2rbVR3QBy2AS1Su RMHLVwEHQ+X7ALxmWZS7su3HYaXrGFKc4hEhDe7vIXVaoqaHKi0Z6mFz+47cBLJRNj8n Wnym1R6rtxzWVRBf+EZJQBNavdXYIl6KVjZMwLv8WDMLBYKWdMie+EMTNUhMZHoHhI8w ZOmA== X-Gm-Message-State: AOAM531yf0v3aOhtMh5BK6uA3Usm5Pv20TFXFUnkyUXcWB4bR+fNmgaC AgtPGhdnREI2xz8gjxrzNmhkBX1BP1hrb09zIbA= X-Received: from willmcvicker.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:2dd0]) (user=willmcvicker job=sendgmr) by 2002:a25:37ca:: with SMTP id e193mr10506255yba.387.1598297937465; Mon, 24 Aug 2020 12:38:57 -0700 (PDT) Date: Mon, 24 Aug 2020 19:38:32 +0000 In-Reply-To: <20200824193832.853621-1-willmcvicker@google.com> Message-Id: <20200824193832.853621-2-willmcvicker@google.com> Mime-Version: 1.0 References: <20200804113711.GA20988@salvia> <20200824193832.853621-1-willmcvicker@google.com> X-Mailer: git-send-email 2.28.0.297.g1956fa8f8d-goog Subject: [PATCH v3 1/1] netfilter: nat: add a range check for l3/l4 protonum From: Will McVicker To: stable@vger.kernel.org, Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal Cc: "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, Will McVicker Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The indexes to the nf_nat_l[34]protos arrays come from userspace. So check the tuple's family, e.g. l3num, when creating the conntrack in order to prevent an OOB memory access during setup. Here is an example kernel panic on 4.14.180 when userspace passes in an index greater than NFPROTO_NUMPROTO. Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in:... Process poc (pid: 5614, stack limit = 0x00000000a3933121) CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM task: 000000002a3dfffe task.stack: 00000000a3933121 pc : __cfi_check_fail+0x1c/0x24 lr : __cfi_check_fail+0x1c/0x24 ... Call trace: __cfi_check_fail+0x1c/0x24 name_to_dev_t+0x0/0x468 nfnetlink_parse_nat_setup+0x234/0x258 ctnetlink_parse_nat_setup+0x4c/0x228 ctnetlink_new_conntrack+0x590/0xc40 nfnetlink_rcv_msg+0x31c/0x4d4 netlink_rcv_skb+0x100/0x184 nfnetlink_rcv+0xf4/0x180 netlink_unicast+0x360/0x770 netlink_sendmsg+0x5a0/0x6a4 ___sys_sendmsg+0x314/0x46c SyS_sendmsg+0xb4/0x108 el0_svc_naked+0x34/0x38 Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") Signed-off-by: Will McVicker --- net/netfilter/nf_conntrack_netlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 31fa94064a62..0b89609a6e9d 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], if (!tb[CTA_TUPLE_IP]) return -EINVAL; + if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) + return -EOPNOTSUPP; tuple->src.l3num = l3num; err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); -- 2.28.0.297.g1956fa8f8d-goog