* iptables: ensure number of counters is >0 in do_replace()
@ 2015-05-19 23:11 Dave Jones
2015-05-19 23:19 ` Florian Westphal
0 siblings, 1 reply; 6+ messages in thread
From: Dave Jones @ 2015-05-19 23:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: netdev
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:
warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0
It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c69db7fa25ee..12a33d178614 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: iptables: ensure number of counters is >0 in do_replace()
2015-05-19 23:11 iptables: ensure number of counters is >0 in do_replace() Dave Jones
@ 2015-05-19 23:19 ` Florian Westphal
2015-05-19 23:42 ` Dave Jones
0 siblings, 1 reply; 6+ messages in thread
From: Florian Westphal @ 2015-05-19 23:19 UTC (permalink / raw)
To: Dave Jones; +Cc: netfilter-devel, netdev
Dave Jones <davej@codemonkey.org.uk> wrote:
> After improving setsockopt() coverage in trinity, I started triggering
> vmalloc failures pretty reliably from this code path:
>
> warn_alloc_failed+0xe9/0x140
> __vmalloc_node_range+0x1be/0x270
> vzalloc+0x4b/0x50
> __do_replace+0x52/0x260 [ip_tables]
> do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
> nf_setsockopt+0x65/0x90
> ip_setsockopt+0x61/0xa0
> raw_setsockopt+0x16/0x60
> sock_common_setsockopt+0x14/0x20
> SyS_setsockopt+0x71/0xd0
>
> It turns out we don't validate that the num_counters field in the
> struct we pass in from userspace is initialized.
>
> Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
>
> diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> index c69db7fa25ee..12a33d178614 100644
> --- a/net/ipv4/netfilter/ip_tables.c
> +++ b/net/ipv4/netfilter/ip_tables.c
> @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
> /* overflow check */
> if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
> return -ENOMEM;
> + if (tmp.num_counters == 0)
> + return -EINVAL;
> +
Good catch. Due to iptables wonderful copy-paste programming model,
this also needs fixing in compat_do_replace, ip6tables, arbtables and
ebtables (8 different places, ick).
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables: ensure number of counters is >0 in do_replace()
2015-05-19 23:19 ` Florian Westphal
@ 2015-05-19 23:42 ` Dave Jones
2015-05-20 0:20 ` David Miller
0 siblings, 1 reply; 6+ messages in thread
From: Dave Jones @ 2015-05-19 23:42 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, netdev
On Wed, May 20, 2015 at 01:19:50AM +0200, Florian Westphal wrote:
> Dave Jones <davej@codemonkey.org.uk> wrote:
> > After improving setsockopt() coverage in trinity, I started triggering
> > vmalloc failures pretty reliably from this code path:
> >
> > warn_alloc_failed+0xe9/0x140
> > __vmalloc_node_range+0x1be/0x270
> > vzalloc+0x4b/0x50
> > __do_replace+0x52/0x260 [ip_tables]
> > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
> > nf_setsockopt+0x65/0x90
> > ip_setsockopt+0x61/0xa0
> > raw_setsockopt+0x16/0x60
> > sock_common_setsockopt+0x14/0x20
> > SyS_setsockopt+0x71/0xd0
> >
> > It turns out we don't validate that the num_counters field in the
> > struct we pass in from userspace is initialized.
> >
> > Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
> >
> > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> > index c69db7fa25ee..12a33d178614 100644
> > --- a/net/ipv4/netfilter/ip_tables.c
> > +++ b/net/ipv4/netfilter/ip_tables.c
> > @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
> > /* overflow check */
> > if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
> > return -ENOMEM;
> > + if (tmp.num_counters == 0)
> > + return -EINVAL;
> > +
>
> Good catch. Due to iptables wonderful copy-paste programming model,
> this also needs fixing in compat_do_replace, ip6tables, arbtables and
> ebtables (8 different places, ick).
ugh. ok, I'll fix them all up.
What's the preferred format, 8 separate patches, or 1 all-in-one diff
for all instances of this bug ?
thanks,
Dave
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables: ensure number of counters is >0 in do_replace()
2015-05-19 23:42 ` Dave Jones
@ 2015-05-20 0:20 ` David Miller
2015-05-20 0:55 ` netfilter: " Dave Jones
0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2015-05-20 0:20 UTC (permalink / raw)
To: davej; +Cc: fw, netfilter-devel, netdev
From: Dave Jones <davej@codemonkey.org.uk>
Date: Tue, 19 May 2015 19:42:52 -0400
> What's the preferred format, 8 separate patches, or 1 all-in-one
> diff for all instances of this bug ?
Personally, I think you could do this in one patch.
^ permalink raw reply [flat|nested] 6+ messages in thread
* netfilter: ensure number of counters is >0 in do_replace()
2015-05-20 0:20 ` David Miller
@ 2015-05-20 0:55 ` Dave Jones
2015-05-21 11:42 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Dave Jones @ 2015-05-20 0:55 UTC (permalink / raw)
To: netfilter-devel; +Cc: netdev, fw, David Miller
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:
warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0
It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.
The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 91180a7fc943..24c7c96bf5f8 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1117,6 +1117,8 @@ static int do_replace(struct net *net, const void __user *user,
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
tmp.name[sizeof(tmp.name) - 1] = 0;
@@ -2159,6 +2161,8 @@ static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 13bfe84bf3ca..a61200754f4b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1075,6 +1075,9 @@ static int do_replace(struct net *net, const void __user *user,
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1499,6 +1502,9 @@ static int compat_do_replace(struct net *net, void __user *user,
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c69db7fa25ee..2d0e265fef6e 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1809,6 +1812,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1a732a1d3c8e..62f5b0d0bc9b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1275,6 +1275,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1822,6 +1825,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: netfilter: ensure number of counters is >0 in do_replace()
2015-05-20 0:55 ` netfilter: " Dave Jones
@ 2015-05-21 11:42 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-21 11:42 UTC (permalink / raw)
To: Dave Jones; +Cc: netfilter-devel, netdev, fw, David Miller
On Tue, May 19, 2015 at 08:55:17PM -0400, Dave Jones wrote:
> After improving setsockopt() coverage in trinity, I started triggering
> vmalloc failures pretty reliably from this code path:
>
> warn_alloc_failed+0xe9/0x140
> __vmalloc_node_range+0x1be/0x270
> vzalloc+0x4b/0x50
> __do_replace+0x52/0x260 [ip_tables]
> do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
> nf_setsockopt+0x65/0x90
> ip_setsockopt+0x61/0xa0
> raw_setsockopt+0x16/0x60
> sock_common_setsockopt+0x14/0x20
> SyS_setsockopt+0x71/0xd0
>
> It turns out we don't validate that the num_counters field in the
> struct we pass in from userspace is initialized.
>
> The same problem also exists in ebtables, arptables, ipv6, and the
> compat variants.
Applied.
This also applies to -stable kernels:
3.2.x
3.4.x
3.10.x
3.12.x
3.14.x
3.18.x
4.0.x
so after some testing and a little while, I'll pass this on.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-05-21 11:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-19 23:11 iptables: ensure number of counters is >0 in do_replace() Dave Jones
2015-05-19 23:19 ` Florian Westphal
2015-05-19 23:42 ` Dave Jones
2015-05-20 0:20 ` David Miller
2015-05-20 0:55 ` netfilter: " Dave Jones
2015-05-21 11:42 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.