From patchwork Sun Dec  9 05:43:22 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Neal Cardwell <ncardwell@google.com>
X-Patchwork-Id: 204688
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 379EC2C01E5
	for <patchwork-incoming@ozlabs.org>;
	Sun,  9 Dec 2012 16:43:38 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756510Ab2LIFnb (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 9 Dec 2012 00:43:31 -0500
Received: from mail-bk0-f74.google.com ([209.85.214.74]:39495 "EHLO
	mail-bk0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756462Ab2LIFn3 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 9 Dec 2012 00:43:29 -0500
Received: by mail-bk0-f74.google.com with SMTP id je9so107127bkc.1
	for <netdev@vger.kernel.org>; Sat, 08 Dec 2012 21:43:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references;
	bh=WTO6UjWZpe4j2VArxha1j7OWW9KWu2QciWyDuCeGpTw=;
	b=RCl46J7oOFQSgfPgmH2I3Ua6mqI2oZhqYb68L+05HCXYZg5NlMowfviaWn7R3PbeWS
	K3Z2v6YWVrOaWNgdB7NBXgz1fA2AAF1BW5uvGMO3Uu6tiAZ6Khby9S4khxHgjIcSTu+k
	F7lhlLTUjT0LIWiMPTHhnQDTjVTM0v9J2eWyTdWOV18nwm5+J1uLyuxc5DPHpBtM6K8i
	/Almch5H5gA8C/gudOHzZAQwNbOfN4njGSTxVlgqGwX4hO3HpwbQisb3zERMPv7p761a
	0P+U3kbyAqmMDB01MiPh5jAgtApo7phPMKb+VR/RFl/KcfiwkqJ4qLBvbsMQaqRKiLu0
	wFgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=WTO6UjWZpe4j2VArxha1j7OWW9KWu2QciWyDuCeGpTw=;
	b=PzeQmAzoZO2UZbFt8NV6S4pieMOoXGfUruRX7FaomMuMGzjn4VG+MXulNOrAmhMzus
	0UeljelgnvyVrgCELnBs0ta9hjPW0xN2e5jxCydrsJZ+BILdLiydWYdyjYYfMxvjVo+M
	ZDjJ3ujfTR+6ujAxcWCAmwqwmZhql5TZTkd9neXAKzO9V1k4TJ537cdmc6EZtRt7HPXJ
	dvZ6HSXXLwbrGZOTEprPbi0sxKKRHgvoh66L8x3+1f8AGblj0Q8Wk9tALxOW1Xd1XV/4
	tX7UWg8rUaBELca/6khWTbL6rAs9lB4Wqg5gGMvbdmvRrmk/oLxc7td7z4OeJVcAHQ8Y
	tV8A==
Received: by 10.14.214.197 with SMTP id c45mr9836397eep.7.1355031808156;
	Sat, 08 Dec 2012 21:43:28 -0800 (PST)
Received: from hpza10.eem.corp.google.com ([74.125.121.33])
	by gmr-mx.google.com with ESMTPS id
	z44si6230932een.0.2012.12.08.21.43.28
	(version=TLSv1/SSLv3 cipher=AES128-SHA);
	Sat, 08 Dec 2012 21:43:28 -0800 (PST)
Received: from coy.nyc.corp.google.com (coy.nyc.corp.google.com
	[172.26.105.221])
	by hpza10.eem.corp.google.com (Postfix) with ESMTP id CB4B020004E;
	Sat,  8 Dec 2012 21:43:27 -0800 (PST)
Received: by coy.nyc.corp.google.com (Postfix, from userid 4318)
	id 65BCE1C0D86; Sun,  9 Dec 2012 00:43:27 -0500 (EST)
From: Neal Cardwell <ncardwell@google.com>
To: David Miller <davem@davemloft.net>
Cc: edumazet@google.com, netdev@vger.kernel.org,
	Neal Cardwell <ncardwell@google.com>
Subject: [PATCH net 2/3] inet_diag: validate byte code to prevent oops in
	inet_diag_bc_run()
Date: Sun,  9 Dec 2012 00:43:22 -0500
Message-Id: <1355031803-14547-2-git-send-email-ncardwell@google.com>
X-Mailer: git-send-email 1.7.7.3
In-Reply-To: <1355031803-14547-1-git-send-email-ncardwell@google.com>
References: <1355031803-14547-1-git-send-email-ncardwell@google.com>
X-Gm-Message-State: 
 ALoCoQnuIS2DrTNAYFbO1KHOKQDkrXRtOTCrorugJTcLawh9WtqX6TlXSYSYhtqDT6QxWa9QFgLTZxsIWOvevdxlVygFV7QrsWqpa3+6WCu3CyAlZTD83WbDwkF/tF7d3Pvov31qTJNJC7JTwDVgxHMz6Gpxz8uvnLyJ89t0qrRyqmLVN8ZGr5NFbxNy/fe2suv5JWQ29cso
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Add logic to validate INET_DIAG_BC_S_COND and INET_DIAG_BC_D_COND
operations.

Previously we did not validate the inet_diag_hostcond, address family,
address length, and prefix length. So a malicious user could make the
kernel read beyond the end of the bytecode array by claiming to have a
whole inet_diag_hostcond when the bytecode was not long enough to
contain a whole inet_diag_hostcond of the given address family. Or
they could make the kernel read up to about 27 bytes beyond the end of
a connection address by passing a prefix length that exceeded the
length of addresses of the given family.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
---
 net/ipv4/inet_diag.c |   48 +++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 16cfa42..529747d 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -513,6 +513,44 @@ static int valid_cc(const void *bc, int len, int cc)
 	return 0;
 }
 
+/* Validate an inet_diag_hostcond. */
+static bool valid_hostcond(const struct inet_diag_bc_op *op, int len,
+			   int *min_len)
+{
+	int addr_len;
+	struct inet_diag_hostcond *cond;
+
+	/* Check hostcond space. */
+	*min_len += sizeof(struct inet_diag_hostcond);
+	if (len < *min_len)
+		return false;
+	cond = (struct inet_diag_hostcond *)(op + 1);
+
+	/* Check address family and address length. */
+	switch (cond->family) {
+	case AF_UNSPEC:
+		addr_len = 0;
+		break;
+	case AF_INET:
+		addr_len = sizeof(struct in_addr);
+		break;
+	case AF_INET6:
+		addr_len = sizeof(struct in6_addr);
+		break;
+	default:
+		return false;
+	}
+	*min_len += addr_len;
+	if (len < *min_len)
+		return false;
+
+	/* Check prefix length (in bits) vs address length (in bytes). */
+	if (cond->prefix_len > 8 * addr_len)
+		return false;
+
+	return true;
+}
+
 static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
 {
 	const void *bc = bytecode;
@@ -520,18 +558,22 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
 
 	while (len > 0) {
 		const struct inet_diag_bc_op *op = bc;
+		int min_len = sizeof(struct inet_diag_bc_op);
 
 //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
 		switch (op->code) {
-		case INET_DIAG_BC_AUTO:
 		case INET_DIAG_BC_S_COND:
 		case INET_DIAG_BC_D_COND:
+			if (!valid_hostcond(bc, len, &min_len))
+				return -EINVAL;
+			/* fall through */
+		case INET_DIAG_BC_AUTO:
 		case INET_DIAG_BC_S_GE:
 		case INET_DIAG_BC_S_LE:
 		case INET_DIAG_BC_D_GE:
 		case INET_DIAG_BC_D_LE:
 		case INET_DIAG_BC_JMP:
-			if (op->no < 4 || op->no > len + 4 || op->no & 3)
+			if (op->no < min_len || op->no > len + 4 || op->no & 3)
 				return -EINVAL;
 			if (op->no < len &&
 			    !valid_cc(bytecode, bytecode_len, len - op->no))
@@ -542,7 +584,7 @@ static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
 		default:
 			return -EINVAL;
 		}
-		if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
+		if (op->yes < min_len || op->yes > len + 4 || op->yes & 3)
 			return -EINVAL;
 		bc  += op->yes;
 		len -= op->yes;