Received: by 2002:ab2:3350:0:b0:1f4:6588:b3a7 with SMTP id o16csp2072168lqe; Tue, 9 Apr 2024 08:47:54 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUGcQyxFxiZ/KF5edpwqWTzQA3Jf18C9WoYIHwZmVkUG5Q79M+9HlvuW8WzOzyzmdeor1B8jMrYQzF32M/EZFKDYWJ2synKI4rJEai43g== X-Google-Smtp-Source: AGHT+IGhIA+yYyB5TPvWNXyq++B5sqbAuNDpaLLD+0ohcz/QlYhfnOEWmraiWRGephXrrADDsWf3 X-Received: by 2002:a17:902:bd89:b0:1e2:a40d:b742 with SMTP id q9-20020a170902bd8900b001e2a40db742mr115728pls.56.1712677673829; Tue, 09 Apr 2024 08:47:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712677673; cv=pass; d=google.com; s=arc-20160816; b=CrzZTEnQf98OD3/LfOH4Ms7SZUSaSubhAOqC3KcDZGzDoIZK9mYmdEVr/YDu98JFB+ oXreOhr3Gu/X6don+LYVB98qfqYy4L9Oy9HEylTpgM64blZUUGSxNKjv2uqv5PBbk9Xo iYlOc1ZDtAmW0TvznA9xhwkrrOeDuMC1Ik3tuNW6lQefTN1c9g8BimZVq7nbhMbGVIPE uAFjKeWDsIaJPKOnBqI3RtPWAvjsx9jHotqJ0yFHrlayJcLB0UZ5KwaNuRI6ffvuZWvO WcbWMHcqufebvsxyegAkOHFiB5G8NCpCJ9etBMi0DvNGibz1aVHXXSTlWv2mGLDRkMSy lVjQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:subject:cc:to:from :message-id:dkim-signature; bh=vEWu+zKNuvca7K9GIraXbCpF0vuCLymzA/DWW38bFQc=; fh=onseQFV+7AZirjUa4RqS724g+R+Jc6NvrUNf9RnuM8M=; b=kTKQTmIHuDZ8YJfUOS6eYnSto3nimz6en5D3OD11XPMjFM0DHIalVGGtuRNK0Wumzi TLSW5m1bH/rlolWUOKxBAtordtmIFC7NzW0RPWG+8OwA36hkErrq4mR/x8a0/pkOl0oB qrCBtqW3sh91dUiq7hesJhzvmA0xnYFNK5MdF+6e/rHCkISw5YX6Xq+ZjYUcPLlCBh6K 2ZVcmJQSAMG8iBKuXmGPGj2CONJZGKr2HhAIEqx+vY7KguAa1zG44r9JwRfnwSqLiZ9a UX7aVcVdk5HVWG9TAndZOa/Zk5TXVIiyxD9jyNmcNdcGraAnVz4ONSOYyegTvzrj34jF 8wNQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=wCxTkCOw; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-137142-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-137142-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id f2-20020a170902ce8200b001e40d171220si4893260plg.5.2024.04.09.08.47.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Apr 2024 08:47:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-137142-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=wCxTkCOw; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-137142-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-137142-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 0D253B28C02 for ; Tue, 9 Apr 2024 15:00:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F1F13130A43; Tue, 9 Apr 2024 15:00:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="wCxTkCOw" Received: from out203-205-221-247.mail.qq.com (out203-205-221-247.mail.qq.com [203.205.221.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3847412D210; Tue, 9 Apr 2024 15:00:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.221.247 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712674829; cv=none; b=j+HDub4TSI38HKwcPtqwseT9Z4kD8XWK0MNyqUfiBjkoq4D3WoQ+acS6eQXgPtTasu0bS8OvsbVYHadh00Dw3EtMWRaLjyktWzabmVaVxCRGgwQAQwAFo74CqvIVhfAqM43BfUYVeUrhDVgDuHqi1DC4IEY0HBxrsskHA17v11Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712674829; c=relaxed/simple; bh=YB//Tq6wM/z9gKF0PBPXJVyM/iHmWsiSPKvVappUl5c=; h=Message-ID:From:To:Cc:Subject:Date:MIME-Version; b=aG3psfr0x7G3He1Rqo7TXYQ9BG2Q+EPP0L5A23a9OIp1/y7VeAamwi1JbsstIZMng2yFoEP7hjIvbeJZw2C2aHsargshOc1KvIRXeOoN4Gv5O6h2a6V5pFpE4idFUWx/320HLJg67ig5G57m45W7h6YaU++xKH+/KyY24gipEyM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=wCxTkCOw; arc=none smtp.client-ip=203.205.221.247 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1712674823; bh=vEWu+zKNuvca7K9GIraXbCpF0vuCLymzA/DWW38bFQc=; h=From:To:Cc:Subject:Date; b=wCxTkCOwTt7hpXDKLSjwpmoOyaIq7OfYo/mu0YyeTAxfDxb6DYmTSXDOSnzIpiItd 35lhOFUpiG7jUIUuvZAOSralpNLb5y90o/Nwcz0bE73ephW8WPjKo0CgZY81dRlct+ o0SIwZNjCEfzHT5IGRuXA7JSpE3N8DO8Hql11uxE= Received: from pek-lxu-l1.wrs.com ([111.198.228.153]) by newxmesmtplogicsvrszb6-0.qq.com (NewEsmtp) with SMTP id 138A83D; Tue, 09 Apr 2024 23:00:19 +0800 X-QQ-mid: xmsmtpt1712674819tuzuqrsdf Message-ID: X-QQ-XMAILINFO: MvM61XSVXCtDdv1SITtT8hAktV/o6o2zYsSdURuOE1QbOLls3zYWW1azlMUrm2 SqLKHU0ww4xFUuH7y9UNa2sJtXJlV/YJ6hs/eVJgCqJnUihW8D39DqxU4WCWQmJmw5g4XrJc30Qv 9miTMG27sSxjF3kFGwx4lUk7r8Phua5oHSZaaam6j/M5aabDT3nJ8tFj0REloDSYgXqFWjHCjR09 70FvzDMCxX8gRdd2DY64GRzm6U1VzTD9m5rfuSLl0IB6uKTsAuyTxfiV1OC4cz9kO1Yy7dJkLj/a O5IWDxVVhylIJAeZSbhAcjN9jP6yyOMhJDNAa+/bH7+GKgcqeX1QHdFzO4z4CSh45AP0T/ZQSnGt CGUIxE0LvRDKVs+ljw2NsqR/GqugI6PyufvFYV3liKzG02X8nuCaw3jSCFMwE5R9WLtmXQp7jInX 63tR1W6WkDq2G55xSPsuDaqW2urIQX6Ozish561B+SD9c7H1BWK4Qs78cg9Zan3bdq4nMfdvjk5r FO8kT0SPM7Pgl/rbvL7AQU90fK+2yCzN41JIUpUtUnTiJH4V4Nh+0FFsyCZIaQdxmJqkKKc7nxVN LULCYL8pa2nil/pCDii0cnIB73hYCZgU1THK5cYXl+I6WvJu+9viw/quMsrvOE1losG9G52rplyK vjJvJru5kJOCiy8Z2kR08OvvHf2OjbH1RSsLW95TzoQdy7wXj6eZjPm656grWUO5qVi3K1BjTwUP YuSnVl1ZuxxNtPGODJvndKfr20nPbWIEnTn31M0pDVWnrqzA+J+wnMyYb+InmmzRslzHmGlz1W/Y 5F7OxN8nAkcqHEzIOj+fGkxZ4v7xLFtQLW4jdoYsNT41VahDhOmDQY8unI4PBfy51oQCxNaIvQIi jczRKa8OA5Y6rtD8hdjyoqUwwl+bnYtWm3OpRd6QN6BVy0MeSom8BzOrjEcxV2MYyX026hqh8MKG aV4R5lWXuPYd3GEVJs0w== X-QQ-XMRINFO: NS+P29fieYNw95Bth2bWPxk= From: Edward Adam Davis To: netdev@vger.kernel.org Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, linux-kernel@vger.kernel.org, martin.lau@linux.dev, sdf@google.com, song@kernel.org, syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev Subject: [PATCH] netfilter: x_tables: fix incorrect parameter length before call copy_from_sockptr Date: Tue, 9 Apr 2024 23:00:20 +0800 X-OQ-MSGID: <20240409150019.95430-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit If len < sizeof(tmp) it will trigger oob, so take the min of them. Signed-off-by: Edward Adam Davis --- net/ipv4/netfilter/arp_tables.c | 4 ++-- net/ipv4/netfilter/ip_tables.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 2407066b0fec..dc9166b48069 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -956,7 +956,7 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) void *loc_cpu_entry; struct arpt_entry *iter; - if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + if (copy_from_sockptr(&tmp, arg, min_t(unsigned int, sizeof(tmp), len)) != 0) return -EFAULT; /* overflow check */ @@ -1254,7 +1254,7 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) void *loc_cpu_entry; struct arpt_entry *iter; - if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + if (copy_from_sockptr(&tmp, arg, min_t(unsigned int, sizeof(tmp), len)) != 0) return -EFAULT; /* overflow check */ diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 7da1df4997d0..94a0afd8f94f 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1108,7 +1108,7 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) void *loc_cpu_entry; struct ipt_entry *iter; - if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + if (copy_from_sockptr(&tmp, arg, min_t(unsigned int, sizeof(tmp), len)) != 0) return -EFAULT; /* overflow check */ @@ -1492,7 +1492,7 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) void *loc_cpu_entry; struct ipt_entry *iter; - if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0) + if (copy_from_sockptr(&tmp, arg, min_t(unsigned int, sizeof(tmp), len)) != 0) return -EFAULT; /* overflow check */ -- 2.43.0