syzkaller managed to trigger various interesting features, such as ability to create rulesets that can't be shown with iptables(8). These patches add more checks/restrictions to the x_tables validation of the blob coming in from userspace. In particular: 1. check error target name is null-terminated 2. cap allocations to reduce OOM invocations 3. enforce unique hook entry points 4. enforce last rule of base chain contains policy I tested this with a few ruleset dumps that I had available and also checked that 32bit iptables binary works, but, given these patches don't fix a known issue with the kernel itself I am targetting nf-next tree to give more soak time. Comments welcome. include/linux/netfilter/x_tables.h | 5 net/bridge/netfilter/ebtables.c | 10 + net/ipv4/netfilter/arp_tables.c | 47 +++++---- net/ipv4/netfilter/ip_tables.c | 45 +++++--- net/ipv6/netfilter/ip6_tables.c | 47 +++++---- net/netfilter/x_tables.c | 187 +++++++++++++++++++++++++++++++++---- 6 files changed, 263 insertions(+), 78 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
