From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Gao Feng <gfree.wind@vip.163.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Loic <hackurx@opensec.fr>
Subject: [PATCH 4.9 31/35] ebtables: arpreply: Add the standard target sanity check
Date: Thu, 11 Oct 2018 17:35:33 +0200 [thread overview]
Message-ID: <20181011152521.425951160@linuxfoundation.org> (raw)
In-Reply-To: <20181011152520.174949126@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Feng <gfree.wind@vip.163.com>
commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream.
The info->target comes from userspace and it would be used directly.
So we need to add the sanity check to make sure it is a valid standard
target, although the ebtables tool has already checked it. Kernel needs
to validate anything coming from userspace.
If the target is set as an evil value, it would break the ebtables
and cause a panic. Because the non-standard target is treated as one
offset.
Now add one helper function ebt_invalid_target, and we would replace
the macro INVALID_TARGET later.
Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Loic <hackurx@opensec.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/netfilter_bridge/ebtables.h | 5 +++++
net/bridge/netfilter/ebt_arpreply.c | 3 +++
2 files changed, 8 insertions(+)
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -123,4 +123,9 @@ extern unsigned int ebt_do_table(struct
/* True if the target is not a standard target */
#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
+static inline bool ebt_invalid_target(int target)
+{
+ return (target < -NUM_STANDARD_TARGETS || target >= 0);
+}
+
#endif
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -67,6 +67,9 @@ static int ebt_arpreply_tg_check(const s
if (e->ethproto != htons(ETH_P_ARP) ||
e->invflags & EBT_IPROTO)
return -EINVAL;
+ if (ebt_invalid_target(info->target))
+ return -EINVAL;
+
return 0;
}
next prev parent reply other threads:[~2018-10-11 15:44 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-11 15:35 [PATCH 4.9 00/35] 4.9.133-stable review Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 01/35] mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 02/35] fbdev/omapfb: fix omapfb_memory_read infoleak Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 03/35] xen-netback: fix input validation in xenvif_set_hash_mapping() Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 04/35] x86/vdso: Fix asm constraints on vDSO syscall fallbacks Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 05/35] x86/vdso: Fix vDSO syscall fallback asm constraint regression Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 06/35] PCI: Reprogram bridge prefetch registers on resume Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 07/35] mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 08/35] PM / core: Clear the direct_complete flag on errors Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 09/35] dm cache metadata: ignore hints array being too small during resize Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 10/35] dm cache: fix resize crash if user doesnt reload cache table Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 11/35] xhci: Add missing CAS workaround for Intel Sunrise Point xHCI Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 12/35] usb: xhci-mtk: resume USB3 roothub first Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 13/35] USB: serial: simple: add Motorola Tetra MTP6550 id Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 14/35] tty: Drop tty->count on tty_reopen() failure Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 15/35] of: unittest: Disable interrupt node tests for old world MAC systems Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 16/35] ext4: add corruption check in ext4_xattr_set_entry() Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 17/35] ext4: always verify the magic number in xattr blocks Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 18/35] cgroup: Fix deadlock in cpu hotplug path Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 19/35] ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 20/35] ath10k: fix kernel panic issue during pci probe Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 21/35] powerpc/fadump: Return error when fadump registration fails Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 22/35] ARC: clone syscall to setp r25 as thread pointer Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 23/35] x86/mm: Expand static page table for fixmap space Greg Kroah-Hartman
2018-11-01 22:25 ` Ben Hutchings
2018-11-02 3:38 ` Feng Tang
2018-11-02 13:56 ` Sasha Levin
2018-10-11 15:35 ` [PATCH 4.9 24/35] f2fs: fix invalid memory access Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 25/35] ucma: fix a use-after-free in ucma_resolve_ip() Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 26/35] ubifs: Check for name being NULL while mounting Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 27/35] sched/cputime: Convert kcpustat to nsecs Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 28/35] sched/cputime: Increment kcpustat directly on irqtime account Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 29/35] sched/cputime: Fix ksoftirqd cputime accounting regression Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 30/35] ath10k: fix scan crash due to incorrect length calculation Greg Kroah-Hartman
2018-10-11 15:35 ` Greg Kroah-Hartman [this message]
2018-10-11 15:35 ` [PATCH 4.9 32/35] x86/fpu: Remove use_eager_fpu() Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 33/35] x86/fpu: Remove struct fpu::counter Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 34/35] Revert "perf: sync up x86/.../cpufeatures.h" Greg Kroah-Hartman
2018-10-11 15:35 ` [PATCH 4.9 35/35] x86/fpu: Finish excising eagerfpu Greg Kroah-Hartman
2018-10-11 22:40 ` [PATCH 4.9 00/35] 4.9.133-stable review Shuah Khan
2018-10-12 4:33 ` Naresh Kamboju
2018-10-12 12:20 ` Guenter Roeck
2018-10-12 13:52 ` Greg Kroah-Hartman
2018-10-12 14:44 ` Greg Kroah-Hartman
2018-10-12 17:07 ` Nathan Chancellor
2018-10-12 17:50 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181011152521.425951160@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gfree.wind@vip.163.com \
--cc=hackurx@opensec.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).