* [PATCH net] netfilter: check for out-of-bounds while copying compat entries
@ 2018-03-05 14:07 Paolo Abeni
2018-03-05 14:32 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Paolo Abeni @ 2018-03-05 14:07 UTC (permalink / raw)
To: netdev
Cc: Pablo Neira Ayuso, Florian Westphal, Jozsef Kadlecsik,
Stephen Hemminger, netfilter-devel, syzkaller-bugs
Currently, when coping ebt compat entries, no checks are in place
for the offsets provided by user space, so that syzbot was able to
trigger the following splat:
BUG: unable to handle kernel paging request at ffffc90001819e4f
IP: ebt_size_mwt net/bridge/netfilter/ebtables.c:2037 [inline]
IP: size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
IP: compat_copy_entries+0x49f/0x1050 net/bridge/netfilter/ebtables.c:2160
PGD 1dad2f067 P4D 1dad2f067 PUD 1dad30067 PMD 1b2408067 PTE 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4249 Comm: syz-executor0 Not tainted 4.16.0-rc3+ #248
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ebt_size_mwt net/bridge/netfilter/ebtables.c:2037 [inline]
RIP: 0010:size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
RIP: 0010:compat_copy_entries+0x49f/0x1050
net/bridge/netfilter/ebtables.c:2160
RSP: 0018:ffff8801b34bf7e8 EFLAGS: 00010246
RAX: 000000000000000a RBX: ffff8801b34bf9d4 RCX: ffffc90001819e4f
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801b34bf9d8
RBP: ffff8801b34bf968 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff88613340 R11: 0000000000000001 R12: 000000000000ee5f
R13: dffffc0000000000 R14: ffff8801b34bf9c8 R15: ffffc90001819e2f
FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000085b9900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffffc90001819e4f CR3: 00000001b2bd7003 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
compat_do_replace+0x398/0x7c0 net/bridge/netfilter/ebtables.c:2249
compat_do_ebt_set_ctl+0x22a/0x2d0 net/bridge/netfilter/ebtables.c:2330
compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
compat_nf_setsockopt+0x88/0x130 net/netfilter/nf_sockopt.c:156
compat_ip_setsockopt+0x8b/0xd0 net/ipv4/ip_sockglue.c:1285
inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:1041
compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2916
compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2986
C_SYSC_setsockopt net/compat.c:403 [inline]
compat_SyS_setsockopt+0x17c/0x410 net/compat.c:386
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fbbc99
RSP: 002b:00000000ffd5ab8c EFLAGS: 00000286 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020000280 RDI: 0000000000000208
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: 8d 4f 20 48 89 c8 48 89 8d c8 fe ff ff 48 c1 e8 03 42 0f b6 14 28 48
89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 b2 0a 00 00 <45> 8b 67 20
44 39 a5 04 ff ff ff 0f 82 bd 08 00 00 e8 cb 52 56
This change addresses the issue, checking that the provided offset are
all inside the provided buffer.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-and-tested-by: syzbot+5705ba91388d7bc30828@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
net/bridge/netfilter/ebtables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 02c4b409d317..54ceaff701fb 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2114,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
unsigned int size;
char *buf = buf_start + offsets[i];
- if (offsets[i] > offsets[j])
+ if (offsets[i] > offsets[j] || offsets[j] > *total)
return -EINVAL;
match32 = (struct compat_ebt_entry_mwt *) buf;
--
2.14.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] netfilter: check for out-of-bounds while copying compat entries
2018-03-05 14:07 [PATCH net] netfilter: check for out-of-bounds while copying compat entries Paolo Abeni
@ 2018-03-05 14:32 ` Florian Westphal
2018-03-05 15:17 ` Paolo Abeni
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2018-03-05 14:32 UTC (permalink / raw)
To: Paolo Abeni
Cc: netdev, Pablo Neira Ayuso, Florian Westphal, Jozsef Kadlecsik,
Stephen Hemminger, netfilter-devel, syzkaller-bugs
Paolo Abeni <pabeni@redhat.com> wrote:
> Currently, when coping ebt compat entries, no checks are in place
> for the offsets provided by user space, so that syzbot was able to
> trigger the following splat:
> ---
> net/bridge/netfilter/ebtables.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 02c4b409d317..54ceaff701fb 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -2114,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
> unsigned int size;
> char *buf = buf_start + offsets[i];
>
> - if (offsets[i] > offsets[j])
> + if (offsets[i] > offsets[j] || offsets[j] > *total)
> return -EINVAL;
I thought i fixed this via b71812168571fa55e44cdd0254471331b9c4c4c6,
and, after looking at it again I still don't see why that doesn't cover
this :-(
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] netfilter: check for out-of-bounds while copying compat entries
2018-03-05 14:32 ` Florian Westphal
@ 2018-03-05 15:17 ` Paolo Abeni
0 siblings, 0 replies; 3+ messages in thread
From: Paolo Abeni @ 2018-03-05 15:17 UTC (permalink / raw)
To: Florian Westphal
Cc: netdev, Pablo Neira Ayuso, Jozsef Kadlecsik, Stephen Hemminger,
netfilter-devel, syzkaller-bugs
On Mon, 2018-03-05 at 15:32 +0100, Florian Westphal wrote:
> Paolo Abeni <pabeni@redhat.com> wrote:
> > Currently, when coping ebt compat entries, no checks are in place
> > for the offsets provided by user space, so that syzbot was able to
> > trigger the following splat:
> > ---
> > net/bridge/netfilter/ebtables.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> > index 02c4b409d317..54ceaff701fb 100644
> > --- a/net/bridge/netfilter/ebtables.c
> > +++ b/net/bridge/netfilter/ebtables.c
> > @@ -2114,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
> > unsigned int size;
> > char *buf = buf_start + offsets[i];
> >
> > - if (offsets[i] > offsets[j])
> > + if (offsets[i] > offsets[j] || offsets[j] > *total)
> > return -EINVAL;
>
> I thought i fixed this via b71812168571fa55e44cdd0254471331b9c4c4c6,
> and, after looking at it again I still don't see why that doesn't cover
> this :-(
Actually such commit fixes the issues (I just double-checked via
syzbot), the issue is I did not pull such changeset before starting
investigating this bug.
This patch is not needed, thanks.
Paolo
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-05 15:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-05 14:07 [PATCH net] netfilter: check for out-of-bounds while copying compat entries Paolo Abeni
2018-03-05 14:32 ` Florian Westphal
2018-03-05 15:17 ` Paolo Abeni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.