hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/net/bridge/netfilter
History
Florian Westphal e608f631f0 netfilter: ebtables: compat: reject all padding in matches/watchers 
syzbot reported following splat:

BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937

CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
 size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
 compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
 compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
 compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
 [..]

Because padding isn't considered during computation of ->buf_user_offset,
"total" is decremented by fewer bytes than it should.

Therefore, the first part of

if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))

will pass, -- it should not have.  This causes oob access:
entry->next_offset is past the vmalloced size.

Reject padding and check that computed user offset (sum of ebt_entry
structure plus all individual matches/watchers/targets) is same
value that userspace gave us as the offset of the next entry.

Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
Fixes: 81e675c227 ("netfilter: ebtables: add CONFIG_COMPAT support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2019-12-20 02:12:27 +01:00
..
Kconfig netfilter: bridge: make NF_TABLES_BRIDGE tristate 2019-07-19 18:08:14 +02:00
Makefile netfilter: nft_meta: move bridge meta keys into nft_meta_bridge 2019-07-05 21:34:47 +02:00
ebt_802_3.c netfilter: inline xt_hashlimit, ebt_802_3 and xt_physdev headers 2019-09-13 12:32:48 +02:00
ebt_among.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_arp.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_arpreply.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_dnat.c bridge: ebtables: don't crash when using dnat target in output chains 2019-11-04 20:58:34 +01:00
ebt_ip.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_ip6.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_limit.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_log.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_mark.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_mark_m.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_nflog.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_pkttype.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_redirect.c netfilter: bridge: convert skb_make_writable to skb_ensure_writable 2019-05-31 18:02:43 +02:00
ebt_snat.c netfilter: bridge: convert skb_make_writable to skb_ensure_writable 2019-05-31 18:02:43 +02:00
ebt_stp.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_vlan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
ebtable_broute.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebtable_filter.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebtable_nat.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebtables.c netfilter: ebtables: compat: reject all padding in matches/watchers 2019-12-20 02:12:27 +01:00
nf_conntrack_bridge.c ipv4: fix IPSKB_FRAG_PMTU handling with fragmentation 2019-10-21 10:46:42 -07:00
nf_log_bridge.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nft_meta_bridge.c netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder 2019-08-30 02:49:04 +02:00
nft_reject_bridge.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00