Patch "netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets" has been added to the 4.9-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Tue, 13 Mar 2018 12:16:21 +0100

This is a note to let you know that I've just added the patch titled

    netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-ebtables-config_compat-don-t-trust-userland-offsets.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From b71812168571fa55e44cdd0254471331b9c4c4c6 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@xxxxxxxxx>
Date: Mon, 19 Feb 2018 01:24:15 +0100
Subject: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

From: Florian Westphal <fw@xxxxxxxxx>

commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by: <syzbot+845a53d13171abf8bf29@xxxxxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 net/bridge/netfilter/ebtables.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2031,7 +2031,9 @@ static int ebt_size_mwt(struct compat_eb
 		if (match_kern)
 			match_kern->match_size = ret;
 
-		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+			return -EINVAL;
+
 		match32 = (struct compat_ebt_entry_mwt *) buf;
 	}
 
@@ -2087,6 +2089,15 @@ static int size_entry_mwt(struct ebt_ent
 	 *
 	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
 	 */
+	for (i = 0; i < 4 ; ++i) {
+		if (offsets[i] >= *total)
+			return -EINVAL;
+		if (i == 0)
+			continue;
+		if (offsets[i-1] > offsets[i])
+			return -EINVAL;
+	}
+
 	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
 		struct compat_ebt_entry_mwt *match32;
 		unsigned int size;


Patches currently in stable-queue which might be from fw@xxxxxxxxx are

queue-4.9/netfilter-add-back-stackpointer-size-checks.patch
queue-4.9/netfilter-ipv6-fix-use-after-free-write-in-nf_nat_ipv6_manip_pkt.patch
queue-4.9/netfilter-ebtables-config_compat-don-t-trust-userland-offsets.patch
queue-4.9/netfilter-bridge-ebt_among-add-missing-match-size-checks.patch






