From patchwork Thu Mar 8 00:54:08 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 882900 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zxXDG6NZNz9sXd for ; Thu, 8 Mar 2018 11:57:34 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754771AbeCHA5d (ORCPT ); Wed, 7 Mar 2018 19:57:33 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:46330 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754741AbeCHA5d (ORCPT ); Wed, 7 Mar 2018 19:57:33 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1etjsB-0002eo-Fb; Thu, 08 Mar 2018 01:57:31 +0100 From: Florian Westphal To: Cc: pabeni@redhat.com, Florian Westphal Subject: [PATCH nf] netfilter: bridge: ebt_among: add more missing match size checks Date: Thu, 8 Mar 2018 01:54:08 +0100 Message-Id: <20180308005408.10123-1-fw@strlen.de> X-Mailer: git-send-email 2.16.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org ebt_among is special, it has a dynamic match size and is exempt from the central size checks. commit c4585a2823edf ("bridge: ebt_among: add missing match size checks") added validation for pool size, but missed fact that the macros ebt_among_wh_src/dst can already return out-of-bound result because they do not check value of wh_src/dst_ofs (an offset) vs. the size of the match that userspace gave to us. NB: Fixes tag is intentionally wrong, this bug exists from day one when match was added for 2.6 kernel. Tag is there so stable maintainers will notice this one too. Tested with same rules from the earlier patch. Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") Reported-by: Signed-off-by: Florian Westphal --- Paolo, if you have time it would be great if you could double-check that the tests in place are now sufficient and there aren't any more bugs lurking in this thing. Thanks! net/bridge/netfilter/ebt_among.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c index c5afb4232ecb..93f1b267d2ea 100644 --- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -177,6 +177,22 @@ static bool poolsize_invalid(const struct ebt_mac_wormhash *w) return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); } +static bool wormhash_offset_valid(int off, unsigned int len) +{ + unsigned int alleged_off; + + if (off == 0) /* not present */ + return true; + + if (off < 0) + return false; + + alleged_off = off; + alleged_off += sizeof(struct ebt_mac_wormhash); + + return alleged_off <= len; +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; @@ -189,6 +205,10 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par) if (expected_length > em->match_size) return -EINVAL; + if (!wormhash_offset_valid(info->wh_dst_ofs, em->match_size) || + !wormhash_offset_valid(info->wh_src_ofs, em->match_size)) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); if (poolsize_invalid(wh_dst)) return -EINVAL;