On Thu, Mar 10, 2016 at 6:12 AM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote: >> Ben Hawkes says: >> >> In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it >> is possible for a user-supplied ipt_entry structure to have a large >> next_offset field. This field is not bounds checked prior to writing a >> counter value at the supplied offset. >> >> Problem is that xt_entry_foreach() macro stops iterating once e->next_offset >> is out of bounds, assuming this is the last entry. >> >> With malformed data thats not necessarily the case so we can >> write outside of allocated area later as we might not have walked the >> entire blob. >> >> Fix this by simplifying mark_source_chains -- it already has to check >> if nextoff is in range to catch invalid jumps, so just do the check >> when we move to a next entry as well. > > Thanks for posting this patch so fast Florian. > > It's sad that Ben didn't even take the time to reach the people that > the MAINTAINERS file shows in first place *sigh*. What is sad about this precisely? I followed the documented process for reporting a security issue (https://www.kernel.org/doc/Documentation/SecurityBugs), and then followed the instructions I received from this list. If you have a problem with my actions, then I suggest you raise this with security@xxxxxxxxxx. > I'll place this in nf-next together with remaining pending fixes, it > seems we'll have 4.5 just after this -rc7 so I don't think we'll get > there in time for this. > > I'll pass this to -stable once this hits master, these patches apply > cleanly to every kernel starting 3.2. > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
