On Wed, 13 Nov 2024, Jeongjun Park wrote:
> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> the values of ip and ip_to are slightly swapped. Therefore, the range check
> for ip should be done later, but this part is missing and it seems that the
> vulnerability occurs.
>
> So we should add missing range checks and remove unnecessary range checks.
>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Reported-by: syzbot+58c872f7790a4d2ac951@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>
The patch should be applied to the stable branches too. Thanks!
Best regards,
Jozsef
> ---
> net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
> index e4fa00abde6a..5988b9bb9029 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ip.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
> @@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
> ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
> if (ret)
> return ret;
> - if (ip > ip_to) {
> + if (ip > ip_to)
> swap(ip, ip_to);
> - if (ip < map->first_ip)
> - return -IPSET_ERR_BITMAP_RANGE;
> - }
> } else if (tb[IPSET_ATTR_CIDR]) {
> u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
>
> @@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
> ip_to = ip;
> }
>
> - if (ip_to > map->last_ip)
> + if (ip < map->first_ip || ip_to > map->last_ip)
> return -IPSET_ERR_BITMAP_RANGE;
>
> for (; !before(ip_to, ip); ip += map->hosts) {
> --
>
--
E-mail : kadlec@xxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
Address: Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
