[A,1/1] netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

Message ID 20180514054128.9385-2-khalid.elmously@canonical.com
State New
Headers show
Series
  • CVE-2018-1068
Related show

Commit Message

Khaled Elmously May 14, 2018, 5:41 a.m.
From: Florian Westphal <fw@strlen.de>

CVE-2018-1068

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry-picked from b71812168571fa55e44cdd0254471331b9c4c4c6)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

Comments

Andy Whitcroft May 14, 2018, 9:42 a.m. | #1
On Mon, May 14, 2018 at 01:41:28AM -0400, Khalid Elmously wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> CVE-2018-1068
> 
> We need to make sure the offsets are not out of range of the
> total size.
> Also check that they are in ascending order.
> 
> The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
> changed to also bail out, no point in continuing parsing.
> 
> Briefly tested with simple ruleset of
> -A INPUT --limit 1/s' --log
> plus jump to custom chains using 32bit ebtables binary.
> 
> Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry-picked from b71812168571fa55e44cdd0254471331b9c4c4c6)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 9c6e619f452b..6890bb669197 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -2061,7 +2061,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
>  		if (match_kern)
>  			match_kern->match_size = ret;
>  
> -		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
> +		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
> +			return -EINVAL;
> +
>  		match32 = (struct compat_ebt_entry_mwt *) buf;
>  	}
>  
> @@ -2117,6 +2119,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
>  	 *
>  	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
>  	 */
> +	for (i = 0; i < 4 ; ++i) {
> +		if (offsets[i] >= *total)
> +			return -EINVAL;
> +		if (i == 0)
> +			continue;
> +		if (offsets[i-1] > offsets[i])
> +			return -EINVAL;
> +	}
> +
>  	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
>  		struct compat_ebt_entry_mwt *match32;
>  		unsigned int size;
> -- 
> 2.17.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Looks to be sane to me.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Kleber Souza May 14, 2018, 4:29 p.m. | #2
On 05/14/18 07:41, Khalid Elmously wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> CVE-2018-1068
> 
> We need to make sure the offsets are not out of range of the
> total size.
> Also check that they are in ascending order.
> 
> The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
> changed to also bail out, no point in continuing parsing.
> 
> Briefly tested with simple ruleset of
> -A INPUT --limit 1/s' --log
> plus jump to custom chains using 32bit ebtables binary.
> 
> Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry-picked from b71812168571fa55e44cdd0254471331b9c4c4c6)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

Clean cherry-pick:

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>


As Andy mentioned on the other email, by the CVE matrix it seems that
trusty/linux needs the fix as well.


Thanks,
Kleber


> ---
>  net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 9c6e619f452b..6890bb669197 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -2061,7 +2061,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
>  		if (match_kern)
>  			match_kern->match_size = ret;
>  
> -		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
> +		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
> +			return -EINVAL;
> +
>  		match32 = (struct compat_ebt_entry_mwt *) buf;
>  	}
>  
> @@ -2117,6 +2119,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
>  	 *
>  	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
>  	 */
> +	for (i = 0; i < 4 ; ++i) {
> +		if (offsets[i] >= *total)
> +			return -EINVAL;
> +		if (i == 0)
> +			continue;
> +		if (offsets[i-1] > offsets[i])
> +			return -EINVAL;
> +	}
> +
>  	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
>  		struct compat_ebt_entry_mwt *match32;
>  		unsigned int size;
>

Patch

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 9c6e619f452b..6890bb669197 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2061,7 +2061,9 @@  static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
 		if (match_kern)
 			match_kern->match_size = ret;
 
-		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+			return -EINVAL;
+
 		match32 = (struct compat_ebt_entry_mwt *) buf;
 	}
 
@@ -2117,6 +2119,15 @@  static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
 	 *
 	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
 	 */
+	for (i = 0; i < 4 ; ++i) {
+		if (offsets[i] >= *total)
+			return -EINVAL;
+		if (i == 0)
+			continue;
+		if (offsets[i-1] > offsets[i])
+			return -EINVAL;
+	}
+
 	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
 		struct compat_ebt_entry_mwt *match32;
 		unsigned int size;