| From b71812168571fa55e44cdd0254471331b9c4c4c6 Mon Sep 17 00:00:00 2001 |
| From: Florian Westphal <fw@strlen.de> |
| Date: Mon, 19 Feb 2018 01:24:15 +0100 |
| Subject: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets |
| |
| From: Florian Westphal <fw@strlen.de> |
| |
| commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. |
| |
| We need to make sure the offsets are not out of range of the |
| total size. |
| Also check that they are in ascending order. |
| |
| The WARN_ON triggered by syzkaller (it sets panic_on_warn) is |
| changed to also bail out, no point in continuing parsing. |
| |
| Briefly tested with simple ruleset of |
| -A INPUT --limit 1/s' --log |
| plus jump to custom chains using 32bit ebtables binary. |
| |
| Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> |
| Signed-off-by: Florian Westphal <fw@strlen.de> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/bridge/netfilter/ebtables.c | 13 ++++++++++++- |
| 1 file changed, 12 insertions(+), 1 deletion(-) |
| |
| --- a/net/bridge/netfilter/ebtables.c |
| +++ b/net/bridge/netfilter/ebtables.c |
| @@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_eb |
| if (match_kern) |
| match_kern->match_size = ret; |
| |
| - WARN_ON(type == EBT_COMPAT_TARGET && size_left); |
| + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) |
| + return -EINVAL; |
| + |
| match32 = (struct compat_ebt_entry_mwt *) buf; |
| } |
| |
| @@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_ent |
| * |
| * offsets are relative to beginning of struct ebt_entry (i.e., 0). |
| */ |
| + for (i = 0; i < 4 ; ++i) { |
| + if (offsets[i] >= *total) |
| + return -EINVAL; |
| + if (i == 0) |
| + continue; |
| + if (offsets[i-1] > offsets[i]) |
| + return -EINVAL; |
| + } |
| + |
| for (i = 0, j = 1 ; j < 4 ; j++, i++) { |
| struct compat_ebt_entry_mwt *match32; |
| unsigned int size; |
