From patchwork Fri May 7 06:10:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Khalid Elmously X-Patchwork-Id: 1475363 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fc0ST3c9Jz9sXL; Fri, 7 May 2021 16:11:05 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lethQ-0001Ej-RD; Fri, 07 May 2021 06:10:56 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lethN-0001Ds-R9 for kernel-team@lists.ubuntu.com; Fri, 07 May 2021 06:10:53 +0000 Received: from mail-qt1-f200.google.com ([209.85.160.200]) by youngberry.canonical.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lethN-0003Lb-IX for kernel-team@lists.ubuntu.com; Fri, 07 May 2021 06:10:53 +0000 Received: by mail-qt1-f200.google.com with SMTP id r20-20020ac85c940000b02901bac34fa2eeso5110936qta.11 for ; Thu, 06 May 2021 23:10:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=53k/ooVXv+fl8wMUZh4XVOH2yk03Ua8cc+mGnxH3rb8=; b=DOZEND1kDhLlYWoz02aFYdSVRXCurzrLrCJ22rO9sW4GZy7tAHTGQDSuTxq9a6725m rjbvBRgcjxe2FccU6Fif4LVqtYKu2RfHyafUPAOaoRI91kye7n1y5QU5qpqW9dEgocgw QqjmeYY4s2uRNmAfypmYX5ramoshYwgcpFsoSWRITnXxlT2DStd9uN/r6E87biSWGiCx ml2aTE3zLdPtwJso0LqU8xqMIzODL5aTsOVvZjtoCOtbflNSrpL0qJkLqJqEVjOsHlTO AD+zpQZBVasAOhIBHKzXUPmF7MmZqWE19D+jN9ITLcvZBDy15kXBWX4/PmneXE6BDMYO PUXg== X-Gm-Message-State: AOAM530W2EgL1rVnvsC4Dv1WdAtWxP5m8kGnCD3Sditrf760xUYjjLTP j4wforbqdc1Fu4MiXQF72mDRAkPiOm8qQFH7jn2GQT1O4nAgTTXebciCVFcBUoBQuTdTThFTQlm 4LfBLSp+xLjC1SxmSUlO4hf2LeX4TCPB0QPnwzv7DUg== X-Received: by 2002:ae9:f114:: with SMTP id k20mr7852028qkg.386.1620367852728; Thu, 06 May 2021 23:10:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzyDdpCE215u8KJuieBrvsKJ/yayd8x8OYUqHl5Sbsf5rxLLIlFM+5j5ZgkVSYh7TJIbN5MMQ== X-Received: by 2002:ae9:f114:: with SMTP id k20mr7852013qkg.386.1620367852522; Thu, 06 May 2021 23:10:52 -0700 (PDT) Received: from kbuntu2.fuzzbuzz.org (dhcp-24-53-240-22.cable.user.start.ca. [24.53.240.22]) by smtp.gmail.com with ESMTPSA id t18sm4061581qkj.75.2021.05.06.23.10.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 May 2021 23:10:52 -0700 (PDT) From: Khalid Elmously To: kernel-team@lists.ubuntu.com Subject: [SRU][B][F][G][H][PATCH 1/1] netfilter: x_tables: fix compat match/target pad out-of-bound write Date: Fri, 7 May 2021 02:10:41 -0400 Message-Id: <20210507061041.25365-1-khalid.elmously@canonical.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Florian Westphal BugLink: https://bugs.launchpad.net/bugs/1927682 xt_compat_match/target_from_user doesn't check that zeroing the area to start of next rule won't write past end of allocated ruleset blob. Remove this code and zero the entire blob beforehand. Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com Reported-by: Andy Nguyen Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso (cherry picked from commit b29c457a6511435960115c0f548c4360d5f4801d) Signed-off-by: Khalid Elmously Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- net/ipv4/netfilter/arp_tables.c | 2 ++ net/ipv4/netfilter/ip_tables.c | 2 ++ net/ipv6/netfilter/ip6_tables.c | 2 ++ net/netfilter/x_tables.c | 10 ++-------- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index e81eeb2389f92a..fc769df15c100b 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1230,6 +1230,8 @@ static int translate_compat_table(struct net *net, if (!newinfo) goto out_unlock; + memset(newinfo->entries, 0, size); + newinfo->number = compatr->num_entries; for (i = 0; i < NF_ARP_NUMHOOKS; i++) { newinfo->hook_entry[i] = compatr->hook_entry[i]; diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index d5bd759a7ebaed..986d8538fb4ced 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1467,6 +1467,8 @@ translate_compat_table(struct net *net, if (!newinfo) goto out_unlock; + memset(newinfo->entries, 0, size); + newinfo->number = compatr->num_entries; for (i = 0; i < NF_INET_NUMHOOKS; i++) { newinfo->hook_entry[i] = compatr->hook_entry[i]; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 8e2985fc1ebc01..2cfce6eb98b43d 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1483,6 +1483,8 @@ translate_compat_table(struct net *net, if (!newinfo) goto out_unlock; + memset(newinfo->entries, 0, size); + newinfo->number = compatr->num_entries; for (i = 0; i < NF_INET_NUMHOOKS; i++) { newinfo->hook_entry[i] = compatr->hook_entry[i]; diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 4638d42a22e405..d40acfce300764 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -636,7 +636,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, { const struct xt_match *match = m->u.kernel.match; struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; - int pad, off = xt_compat_match_offset(match); + int off = xt_compat_match_offset(match); u_int16_t msize = cm->u.user.match_size; char name[sizeof(m->u.user.name)]; @@ -646,9 +646,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, match->compat_from_user(m->data, cm->data); else memcpy(m->data, cm->data, msize - sizeof(*cm)); - pad = XT_ALIGN(match->matchsize) - match->matchsize; - if (pad > 0) - memset(m->data + match->matchsize, 0, pad); msize += off; m->u.user.match_size = msize; @@ -991,7 +988,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, { const struct xt_target *target = t->u.kernel.target; struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; - int pad, off = xt_compat_target_offset(target); + int off = xt_compat_target_offset(target); u_int16_t tsize = ct->u.user.target_size; char name[sizeof(t->u.user.name)]; @@ -1001,9 +998,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, target->compat_from_user(t->data, ct->data); else memcpy(t->data, ct->data, tsize - sizeof(*ct)); - pad = XT_ALIGN(target->targetsize) - target->targetsize; - if (pad > 0) - memset(t->data + target->targetsize, 0, pad); tsize += off; t->u.user.target_size = tsize;