From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 03/39] netfilter: ebtables: handle string from userspace with care
Date: Sun, 24 Jun 2018 23:23:50 +0800 [thread overview]
Message-ID: <20180624152352.391893156@linuxfoundation.org> (raw)
In-Reply-To: <20180624152352.038950449@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ]
strlcpy() can't be safely used on a user-space provided string,
as it can try to read beyond the buffer's end, if the latter is
not NULL terminated.
Leveraging the above, syzbot has been able to trigger the following
splat:
BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
[inline]
BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
net/bridge/netfilter/ebtables.c:1957 [inline]
BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
net/bridge/netfilter/ebtables.c:2059 [inline]
BUG: KASAN: stack-out-of-bounds in size_entry_mwt
net/bridge/netfilter/ebtables.c:2155 [inline]
BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
net/bridge/netfilter/ebtables.c:2194
Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
memcpy+0x37/0x50 mm/kasan/kasan.c:303
strlcpy include/linux/string.h:300 [inline]
compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
__compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
__do_compat_sys_setsockopt net/compat.c:416 [inline]
__se_compat_sys_setsockopt net/compat.c:413 [inline]
__ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fb3cb9
RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Fix the issue replacing the unsafe function with strscpy() and
taking care of possible errors.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/netfilter/ebtables.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1923,7 +1923,8 @@ static int compat_mtw_from_user(struct c
int off, pad = 0;
unsigned int size_kern, match_size = mwt->match_size;
- strlcpy(name, mwt->u.name, sizeof(name));
+ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
+ return -EINVAL;
if (state->buf_kern_start)
dst = state->buf_kern_start + state->buf_kern_offset;
next prev parent reply other threads:[~2018-06-24 15:50 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-24 15:23 [PATCH 4.9 00/39] 4.9.110-stable review Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 01/39] objtool: update .gitignore file Greg Kroah-Hartman
2018-06-24 15:23 ` Greg Kroah-Hartman [this message]
2018-06-24 15:23 ` [PATCH 4.9 04/39] ipvs: fix buffer overflow with sync daemon and service Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 05/39] iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 06/39] atm: zatm: fix memcmp casting Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 09/39] net/sonic: Use dma_mapping_error() Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 11/39] Revert "Btrfs: fix scrub to repair raid6 corruption" Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 12/39] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 13/39] Btrfs: make raid6 rebuild retry more Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 15/39] bonding: re-evaluate force_primary when the primary slave name changes Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 16/39] ipv6: allow PMTU exceptions to local routes Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 17/39] net/sched: act_simple: fix parsing of TCA_DEF_DATA Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 18/39] tcp: verify the checksum of the first data segment in a new connection Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 20/39] ext4: fix hole length detection in ext4_ind_map_blocks() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 21/39] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 22/39] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 23/39] driver core: Dont ignore class_dir_create_and_add() failure Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 24/39] Btrfs: fix clone vs chattr NODATASUM race Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 25/39] Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 26/39] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 27/39] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 28/39] ALSA: hda: add dock and led support for HP EliteBook 830 G5 Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 29/39] ALSA: hda: add dock and led support for HP ProBook 640 G4 Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 30/39] smb3: on reconnect set PreviousSessionId field Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 31/39] cpufreq: Fix new policy initialization during limits updates via sysfs Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 32/39] libata: zpodd: make arrays cdb static, reduces object code size Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 33/39] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 34/39] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 35/39] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 36/39] orangefs: set i_size on new symlink Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 37/39] HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 38/39] vhost: fix info leak due to uninitialized memory Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 39/39] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-06-24 17:44 ` [PATCH 4.9 00/39] 4.9.110-stable review Nathan Chancellor
2018-06-25 0:55 ` Greg Kroah-Hartman
2018-06-25 5:06 ` Naresh Kamboju
2018-06-25 6:43 ` Greg Kroah-Hartman
2018-06-25 17:18 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180624152352.391893156@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.