Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2386130pxa;
        Mon, 24 Aug 2020 12:40:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzjx9Qv/UUgF8VKquu/PZogMCmhmBAcegAYWuP+chLIb9H2TJJsf0OvocUDQ2/93w56PXvR
X-Received: by 2002:a17:906:3e06:: with SMTP id k6mr6954799eji.37.1598298022504;
        Mon, 24 Aug 2020 12:40:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598298022; cv=none;
        d=google.com; s=arc-20160816;
        b=COytQDtt8C4GaUxAD7gspX62wcSgSBormqbIDGWBN3aj8x5aMxui3fyaYvxRCsD+24
         XomrHtUgV/jffE9HTYfR9GZfOcBt0F6PAeZtl1ZV1bdyVfHEg8dXekMUSwgC2SAOuw/r
         snnRdzmMBxr2uzBta24h218FXNxogw+EnxRv/vEZBqWFIEAIjP6tdKq+u1CkxioBxp5X
         5meeS+YCmL9SrgRRA75AcX5/exqHTR8k6JhzB7Jf7Cwaj/05MpPfrbWaAlEHJgNf1vJl
         53MrpbkNDrGc7C3UWSiuvjYP78gGuaGChH9TofYUv+MxG5Gg2PlPaYNTjcKi3Qkj47iN
         i0mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=g4pL4sVyrmOHm7d8P2FtckN7sUsE1ULTw8xRTNRh+SI=;
        b=NcYnmaFJPHvQK/LkYijtnbYV2KcJyetJEPsUzaOdHxK3ulj/ltsXDCXV2RreVsXaT3
         X2Vmb/3GAFC734cg+9HUl5Po8ehrgrUgeyMh6ZpgYzL3wnL++ye09m9EH2THP4zCIvUF
         TW1Ma09Q3UmYaVJFOnBcrNnMT4XHtV/QX9UKGhGAUkkW40zalh+6LSiMtiG9ANvLk/xD
         8/MNz5TSymNPqoEWHKDZDyJcSPcvF1s4MLnASosGHyF07W/OJxZDXbVSAswS+WFX1dK6
         KVZMNxf09S96QOyGg/n3IpyK4VFdn0S5IAWLySL0FwTDcJtChNTMsMBmuBG7gV9ADFBA
         ti1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b="CoV/L53m";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d1si995785edq.421.2020.08.24.12.39.57;
        Mon, 24 Aug 2020 12:40:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b="CoV/L53m";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727050AbgHXTjA (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Mon, 24 Aug 2020 15:39:00 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54084 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726051AbgHXTi6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Aug 2020 15:38:58 -0400
Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42752C061575
        for <linux-kernel@vger.kernel.org>; Mon, 24 Aug 2020 12:38:58 -0700 (PDT)
Received: by mail-yb1-xb4a.google.com with SMTP id l67so11754841ybb.7
        for <linux-kernel@vger.kernel.org>; Mon, 24 Aug 2020 12:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=sender:date:in-reply-to:message-id:mime-version:references:subject
         :from:to:cc;
        bh=g4pL4sVyrmOHm7d8P2FtckN7sUsE1ULTw8xRTNRh+SI=;
        b=CoV/L53mwlQU4CmFv+qyfNTZJqXqwvTa0hKuq5T9gfLT05XMqzwM+AiGNQ2LPdOOSL
         djCoEUi6/nIJ0xI0ldNXvhw+jSelLMQA/N+/QLUdCIQ/mBxOdJMO0OEaFHoV9JNOfvJ8
         zOVbX7q4qMmz9OdrnQRYYpapzeAuvgHYeRNvbT0hi4hpqV6k86Yw8EeAqDsKEy8cDOIz
         p86j1+a8DcwbanlYBPSIKF+JcVwH4PJGPLhCef6gKKTawRbAq8YsOWovfsUD2apLiVly
         wxVsvt3Fn9tOgClVYY+Iet4yYT5mCmB2KtcU9xd0PliAWN0Ji5wZRmuVIhF1c0MBAtC4
         +k8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=g4pL4sVyrmOHm7d8P2FtckN7sUsE1ULTw8xRTNRh+SI=;
        b=ELXHuSfN9M5fKwwpnFRdx4XnSG0KwUcnMA5QlwfxJZ6NEvZD05lJCqLj6Y+Sy9CC4R
         7KZK7Nj8FuzbNdJ2OX+20NFg/UAKsp9S4wiT0yC8PKhf9mwXvSUH/VMGcfjJi0W2MnzZ
         dTjfcya96QPdqcCIz4bOMDPkhZ8WRZMJbGUzPUHEScQlSUcs7hVn/2rbVR3QBy2AS1Su
         RMHLVwEHQ+X7ALxmWZS7su3HYaXrGFKc4hEhDe7vIXVaoqaHKi0Z6mFz+47cBLJRNj8n
         Wnym1R6rtxzWVRBf+EZJQBNavdXYIl6KVjZMwLv8WDMLBYKWdMie+EMTNUhMZHoHhI8w
         ZOmA==
X-Gm-Message-State: AOAM531yf0v3aOhtMh5BK6uA3Usm5Pv20TFXFUnkyUXcWB4bR+fNmgaC
        AgtPGhdnREI2xz8gjxrzNmhkBX1BP1hrb09zIbA=
X-Received: from willmcvicker.c.googlers.com ([fda3:e722:ac3:10:24:72f4:c0a8:2dd0])
 (user=willmcvicker job=sendgmr) by 2002:a25:37ca:: with SMTP id
 e193mr10506255yba.387.1598297937465; Mon, 24 Aug 2020 12:38:57 -0700 (PDT)
Date:   Mon, 24 Aug 2020 19:38:32 +0000
In-Reply-To: <20200824193832.853621-1-willmcvicker@google.com>
Message-Id: <20200824193832.853621-2-willmcvicker@google.com>
Mime-Version: 1.0
References: <20200804113711.GA20988@salvia> <20200824193832.853621-1-willmcvicker@google.com>
X-Mailer: git-send-email 2.28.0.297.g1956fa8f8d-goog
Subject: [PATCH v3 1/1] netfilter: nat: add a range check for l3/l4 protonum
From:   Will McVicker <willmcvicker@google.com>
To:     stable@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>,
        Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
        Florian Westphal <fw@strlen.de>
Cc:     "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-team@android.com, Will McVicker <willmcvicker@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The indexes to the nf_nat_l[34]protos arrays come from userspace. So
check the tuple's family, e.g. l3num, when creating the conntrack in
order to prevent an OOB memory access during setup.  Here is an example
kernel panic on 4.14.180 when userspace passes in an index greater than
NFPROTO_NUMPROTO.

Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:...
Process poc (pid: 5614, stack limit = 0x00000000a3933121)
CPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483
Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
task: 000000002a3dfffe task.stack: 00000000a3933121
pc : __cfi_check_fail+0x1c/0x24
lr : __cfi_check_fail+0x1c/0x24
...
Call trace:
__cfi_check_fail+0x1c/0x24
name_to_dev_t+0x0/0x468
nfnetlink_parse_nat_setup+0x234/0x258
ctnetlink_parse_nat_setup+0x4c/0x228
ctnetlink_new_conntrack+0x590/0xc40
nfnetlink_rcv_msg+0x31c/0x4d4
netlink_rcv_skb+0x100/0x184
nfnetlink_rcv+0xf4/0x180
netlink_unicast+0x360/0x770
netlink_sendmsg+0x5a0/0x6a4
___sys_sendmsg+0x314/0x46c
SyS_sendmsg+0xb4/0x108
el0_svc_naked+0x34/0x38

Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
Signed-off-by: Will McVicker <willmcvicker@google.com>
---
 net/netfilter/nf_conntrack_netlink.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 31fa94064a62..0b89609a6e9d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[],
 	if (!tb[CTA_TUPLE_IP])
 		return -EINVAL;
 
+	if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
+		return -EOPNOTSUPP;
 	tuple->src.l3num = l3num;
 
 	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
-- 
2.28.0.297.g1956fa8f8d-goog