From patchwork Thu Dec 28 08:48:54 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dmitry Vyukov <dvyukov@google.com>
X-Patchwork-Id: 853374
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="SUqEjB+Y"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z6k0q2wV0z9s75
	for <incoming@patchwork.ozlabs.org>;
	Thu, 28 Dec 2017 19:49:15 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751442AbdL1ItB (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Thu, 28 Dec 2017 03:49:01 -0500
Received: from mail-wr0-f193.google.com ([209.85.128.193]:44767 "EHLO
	mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751100AbdL1Is7 (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Thu, 28 Dec 2017 03:48:59 -0500
Received: by mail-wr0-f193.google.com with SMTP id l41so26421201wre.11
	for <netfilter-devel@vger.kernel.org>;
	Thu, 28 Dec 2017 00:48:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=Lmiec1tGI8TmO2mKsZjVrXQBkuFQPfaKKqxOlYYn3Jg=;
	b=SUqEjB+YABIjmPuFGwp/VlW05JDNLDjdZMBSkF1osNxaRAA84aEsiW7g1uZlzDdro3
	F+Yi02cmfIOvaJDCoUQsKUCy+HHDrHWoZzh4l37A1M4HSdKElpzQmGE4KeWxg0VMer4r
	L+jsA+UTPVr86edO8TyiUkyX+M/hgMW870yUG8hUAKG3T5r3fYBqJII4hsT/RMAfTbpI
	HQQjPf2JEWlXAEj3nyTRnJy11Pxr8D0Qbntt0ekRIP5dvForS+0IdCXIhDnizlw0rP8v
	MTgbtDhpPvojxdfpAEO8xAv8qSudDbEav81yaxpAMBljZ8boXpPqZCaUgJ9FPqwXo/pz
	xRsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Lmiec1tGI8TmO2mKsZjVrXQBkuFQPfaKKqxOlYYn3Jg=;
	b=HRs2tnABcBTIjOGCP0JioirXEAs0NvG9E6eRa/G3pCSgwFeumY3WMxTfQDwHQg8YQd
	dcyGfdOJNvDDlKwbrGYWVQLL1+Fz300RxkrhUmdDUyzmkUQRi8DROLyO/UkzXPwJmeB9
	L9d5+7b9AmqlgKPIiamZ2eoHF1bo240n9R/KY0rvje4M0hBIM+djF4vzzK2cuowsJuRa
	PSWcJTjfjPLUMMwvThbdcbtPYAYYNfD6HZTxblObihnCKywlDKXXCmWZ6NAPFwE93b4S
	q0PiKh8rTLeS7leiyJm+iEINTvK03ScRfEwVGSWLzWY8RbygVhkr/dtUInOZNJfGAxoW
	tGNA==
X-Gm-Message-State: AKGB3mLNfShBJWJ93nV9+reAvm0nLFDOR9NJq++RbD+G2l7zUDk4AzoN
	OZ+BPg6ycscx5tOtWhXJEJ+J7Q==
X-Google-Smtp-Source: 
 ACJfBovQrZQ/17muW0sp0fAOL3w1V/39RBC4F2z9yq9cIdzs2cI5aAfCO/tapMDLbXBi0CoSrV3Org==
X-Received: by 10.223.132.35 with SMTP id 32mr32936920wrf.248.1514450938171;
	Thu, 28 Dec 2017 00:48:58 -0800 (PST)
Received: from dvyukov-z840.muc.corp.google.com ([100.105.12.59])
	by smtp.gmail.com with ESMTPSA id
	q7sm16205574wra.83.2017.12.28.00.48.57
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 28 Dec 2017 00:48:57 -0800 (PST)
Received: by dvyukov-z840.muc.corp.google.com (Postfix, from userid 129372)
	id 1978AE119D; Thu, 28 Dec 2017 09:48:55 +0100 (CET)
From: Dmitry Vyukov <dvyukov@google.com>
To: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de,
	davem@davemloft.net
Cc: Dmitry Vyukov <dvyukov@google.com>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] netfilter: fix int overflow in xt_alloc_table_info()
Date: Thu, 28 Dec 2017 09:48:54 +0100
Message-Id: <20171228084854.247843-1-dvyukov@google.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

syzkaller triggered OOM kills by passing ipt_replace.size = -1
to IPT_SO_SET_REPLACE. The root cause is that SMP_ALIGN() in
xt_alloc_table_info() causes int overflow and the size check passes
when it should not. SMP_ALIGN() is no longer needed leftover.

Remove SMP_ALIGN() call in xt_alloc_table_info().

Reported-by: syzbot+4396883fa8c4f64e0175@syzkaller.appspotmail.com
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Florian Westphal <fw@strlen.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
 net/netfilter/x_tables.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 55802e97f906..e02a21549c99 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -39,7 +39,6 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
 
-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
 #define XT_PCPU_BLOCK_SIZE 4096
 
 struct compat_delta {
@@ -1000,7 +999,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
 		return NULL;
 
 	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
-	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+	if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
 		return NULL;
 
 	info = kvmalloc(sz, GFP_KERNEL);