From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 34/88] netfilter: x_tables: check for bogus target offset
Date: Thu, 14 Jul 2016 10:15:26 +0200 [thread overview]
Message-ID: <0f266e4023908a1e83b601f38badb115e767d76d.1468483951.git.jslaby@suse.cz> (raw)
In-Reply-To: <3d4036cb9b963cdd270c02856a888183da0623db.1468483951.git.jslaby@suse.cz>
In-Reply-To: <cover.1468483950.git.jslaby@suse.cz>
From: Florian Westphal <fw@strlen.de>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c upstream.
We're currently asserting that targetoff + targetsize <= nextoff.
Extend it to also check that targetoff is >= sizeof(xt_entry).
Since this is generic code, add an argument pointing to the start of the
match/target, we can then derive the base structure size from the delta.
We also need the e->elems pointer in a followup change to validate matches.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
include/linux/netfilter/x_tables.h | 4 ++--
net/ipv4/netfilter/arp_tables.c | 5 +++--
net/ipv4/netfilter/ip_tables.c | 5 +++--
net/ipv6/netfilter/ip6_tables.c | 5 +++--
net/netfilter/x_tables.c | 17 +++++++++++++++--
5 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 958a5132e46b..ef93201a7c0e 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -239,7 +239,7 @@ extern void xt_unregister_match(struct xt_match *target);
extern int xt_register_matches(struct xt_match *match, unsigned int n);
extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
-int xt_check_entry_offsets(const void *base,
+int xt_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset);
@@ -437,7 +437,7 @@ extern void xt_compat_target_from_user(struct xt_entry_target *t,
void **dstptr, unsigned int *size);
extern int xt_compat_target_to_user(const struct xt_entry_target *t,
void __user **dstptr, unsigned int *size);
-int xt_compat_check_entry_offsets(const void *base,
+int xt_compat_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 788ddb05dd3d..37550a103f88 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -578,7 +578,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
if (!arp_checkentry(&e->arp))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1240,7 +1241,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
if (!arp_checkentry(&e->arp))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e, e->target_offset,
+ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,
e->next_offset);
if (ret)
return ret;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 65325bd2180f..cd8a5186a6a6 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -738,7 +738,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
if (!ip_checkentry(&e->ip))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1505,7 +1506,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
if (!ip_checkentry(&e->ip))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e,
+ ret = xt_compat_check_entry_offsets(e, e->elems,
e->target_offset, e->next_offset);
if (ret)
return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c54cfa235a1d..60c71ad180f0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -749,7 +749,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1517,7 +1518,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e,
+ ret = xt_compat_check_entry_offsets(e, e->elems,
e->target_offset, e->next_offset);
if (ret)
return ret;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 37f7eda8ad19..ea147468df9c 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -565,14 +565,17 @@ struct compat_xt_standard_target {
compat_uint_t verdict;
};
-/* see xt_check_entry_offsets */
-int xt_compat_check_entry_offsets(const void *base,
+int xt_compat_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset)
{
+ long size_of_base_struct = elems - (const char *)base;
const struct compat_xt_entry_target *t;
const char *e = base;
+ if (target_offset < size_of_base_struct)
+ return -EINVAL;
+
if (target_offset + sizeof(*t) > next_offset)
return -EINVAL;
@@ -596,12 +599,16 @@ EXPORT_SYMBOL(xt_compat_check_entry_offsets);
* xt_check_entry_offsets - validate arp/ip/ip6t_entry
*
* @base: pointer to arp/ip/ip6t_entry
+ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
* @target_offset: the arp/ip/ip6_t->target_offset
* @next_offset: the arp/ip/ip6_t->next_offset
*
* validates that target_offset and next_offset are sane.
* Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
*
+ * This function does not validate the targets or matches themselves, it
+ * only tests that all the offsets and sizes are correct.
+ *
* The arp/ip/ip6t_entry structure @base must have passed following tests:
* - it must point to a valid memory location
* - base to base + next_offset must be accessible, i.e. not exceed allocated
@@ -610,12 +617,18 @@ EXPORT_SYMBOL(xt_compat_check_entry_offsets);
* Return: 0 on success, negative errno on failure.
*/
int xt_check_entry_offsets(const void *base,
+ const char *elems,
unsigned int target_offset,
unsigned int next_offset)
{
+ long size_of_base_struct = elems - (const char *)base;
const struct xt_entry_target *t;
const char *e = base;
+ /* target start is within the ip/ip6/arpt_entry struct */
+ if (target_offset < size_of_base_struct)
+ return -EINVAL;
+
if (target_offset + sizeof(*t) > next_offset)
return -EINVAL;
--
2.9.1
next prev parent reply other threads:[~2016-07-14 8:40 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-14 8:16 [PATCH 3.12 00/88] 3.12.62-stable review Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 01/88] PCI/AER: Clear error status registers during enumeration and restore Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 02/88] MIPS: Fix 64k page support for 32 bit kernels Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 03/88] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 04/88] sparc: Fix system call tracing register handling Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 05/88] sparc64: Fix bootup regressions on some Kconfig combinations Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 06/88] sparc64: Fix sparc64_set_context stack handling Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 07/88] sparc/PCI: Fix for panic while enabling SR-IOV Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 08/88] sparc64: Take ctx_alloc_lock properly in hugetlb_setup() Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 09/88] sparc: Harden signal return frame checks Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 10/88] sparc64: Fix return from trap window fill crashes Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 11/88] perf/x86: Honor the architectural performance monitoring version Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 12/88] perf/x86: Fix undefined shift on 32-bit kernels Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 13/88] netlink: Fix dump skb leak/double free Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 14/88] udp: prevent skbs lingering in tunnel socket queues Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 15/88] tcp: record TLP and ER timer stats in v6 stats Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 16/88] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 17/88] macintosh/therm_windtunnel: Export I2C module alias information Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 18/88] drivers: macintosh: rack-meter: limit idle ticks to total ticks Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 19/88] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 20/88] ARM: fix PTRACE_SETVFPREGS on SMP systems Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 21/88] powerpc: Fix definition of SIAR and SDAR registers Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 22/88] powerpc: Use privileged SPR number for MMCR2 Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 23/88] parisc: Fix pagefault crash in unaligned __get_user() call Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 24/88] ecryptfs: forbid opening files without mmap handler Jiri Slaby
[not found] ` <20160716192134.72132405@desktop.jensen.local>
2016-07-18 11:55 ` Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 25/88] wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 26/88] fix d_walk()/non-delayed __d_free() race Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 27/88] netfilter: x_tables: don't move to non-existent next rule Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 28/88] netfilter: x_tables: validate targets of jumps Jiri Slaby
2016-07-21 6:36 ` Jiri Slaby
2016-07-21 18:56 ` Greg KH
2016-07-21 19:00 ` Jiri Slaby
2016-07-25 5:45 ` Michal Kubecek
2016-07-25 6:41 ` Florian Westphal
2016-07-25 6:51 ` Michal Kubecek
2016-07-25 6:51 ` Michal Kubecek
2016-07-25 7:27 ` Florian Westphal
2016-07-14 8:15 ` [PATCH 3.12 29/88] netfilter: x_tables: add and use xt_check_entry_offsets Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 30/88] netfilter: x_tables: kill check_entry helper Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 31/88] netfilter: x_tables: assert minimum target size Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 32/88] netfilter: x_tables: add compat version of xt_check_entry_offsets Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 33/88] netfilter: x_tables: check standard target size too Jiri Slaby
2016-07-14 8:15 ` Jiri Slaby [this message]
2016-07-14 8:15 ` [PATCH 3.12 35/88] netfilter: x_tables: validate all offsets and sizes in a rule Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 36/88] netfilter: x_tables: don't reject valid target size on some architectures Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 37/88] netfilter: arp_tables: simplify translate_compat_table args Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 38/88] netfilter: ip_tables: " Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 39/88] netfilter: ip6_tables: " Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 40/88] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 41/88] netfilter: ensure number of counters is >0 in do_replace() Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 42/88] netfilter: x_tables: do compat validation via translate_table Jiri Slaby
2016-07-19 7:13 ` Michal Kubecek
2016-07-19 8:40 ` Florian Westphal
2016-07-19 9:13 ` Florian Westphal
2016-07-19 9:45 ` Michal Kubecek
2016-07-14 8:15 ` [PATCH 3.12 43/88] Revert "netfilter: ensure number of counters is >0 in do_replace()" Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 44/88] netfilter: x_tables: introduce and use xt_copy_counters_from_user Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 45/88] crypto: ux500 - memmove the right size Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 46/88] sit: correct IP protocol used in ipip6_err Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 47/88] ipmr/ip6mr: Initialize the last assert time of mfc entries Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 48/88] net: alx: Work around the DMA RX overflow issue Jiri Slaby
2016-07-14 8:15 ` Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 49/88] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 50/88] usb: musb: Stop bulk endpoint while queue is rotated Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 51/88] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 52/88] mac80211: mesh: flush mesh paths unconditionally Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 53/88] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 54/88] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 55/88] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 56/88] powerpc/pseries: Fix PCI config address for DDW Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 57/88] USB: EHCI: declare hostpc register as zero-length array Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 58/88] x86, build: copy ldlinux.c32 to image.iso Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 59/88] kprobes/x86: Clear TF bit in fault on single-stepping Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 60/88] x86/amd_nb: Fix boot crash on non-AMD systems Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 61/88] make nfs_atomic_open() call d_drop() on all ->open_context() errors Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 62/88] NFS: Fix another OPEN_DOWNGRADE bug Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 63/88] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 64/88] mm: Export migrate_page_move_mapping and migrate_page_copy Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 65/88] UBIFS: Implement ->migratepage() Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 66/88] scsi: remove scsi_end_request Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 67/88] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 68/88] Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 69/88] USB: usbfs: fix potential infoleak in devio Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 70/88] ktime: export ktime_divns Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 71/88] ALSA: hrtimer: Handle start/stop more properly Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 72/88] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 73/88] ALSA: timer: Fix leak in events via snd_timer_user_ccallback Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 74/88] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 75/88] net/qlge: Avoids recursive EEH error Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 76/88] rds: fix an infoleak in rds_inc_info_copy Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 77/88] EDAC: Remove arbitrary limit on number of channels Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 78/88] SCSI: Increase REPORT_LUNS timeout Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 79/88] KEYS: potential uninitialized variable Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 80/88] base: make module_create_drivers_dir race-free Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 81/88] KVM: x86: expose invariant tsc cpuid bit (v2) Jiri Slaby
2016-07-14 8:40 ` Paolo Bonzini
2016-07-14 9:22 ` Jiri Slaby
2016-07-14 9:41 ` Paolo Bonzini
2016-07-14 8:16 ` [PATCH 3.12 82/88] mm/swap.c: flush lru pvecs on compound page arrival Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 83/88] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 84/88] ALSA: compress: fix an integer overflow check Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 85/88] HID: elo: kill not flush the work Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 86/88] cdc_ncm: workaround for EM7455 "silent" data interface Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 87/88] MIPS: KVM: Fix modular KVM under QEMU Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 88/88] signal: remove warning about using SI_TKILL in rt_[tg]sigqueueinfo Jiri Slaby
2016-07-14 20:20 ` [PATCH 3.12 00/88] 3.12.62-stable review Guenter Roeck
2016-07-15 7:31 ` Jiri Slaby
2016-07-14 21:45 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f266e4023908a1e83b601f38badb115e767d76d.1468483951.git.jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.