From patchwork Thu Oct 5 09:50:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 821673 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="SxhSUA6e"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3y77L26BLjz9t3R for ; Thu, 5 Oct 2017 20:50:18 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751381AbdJEJuN (ORCPT ); Thu, 5 Oct 2017 05:50:13 -0400 Received: from mail-io0-f195.google.com ([209.85.223.195]:36491 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751326AbdJEJuM (ORCPT ); Thu, 5 Oct 2017 05:50:12 -0400 Received: by mail-io0-f195.google.com with SMTP id f202so2662094ioe.3; Thu, 05 Oct 2017 02:50:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=Snil5ihZSCTifJFiz1FUD3f0+C+G8HdpNNoJlLbLRPo=; b=SxhSUA6e/4EO7GacPQmVS9dBc1OzHePRNGRyFHZnITMJ7+JUc4brq3ljZhLaOp9iVn LKd8QJAtjGNhPhbzcJmjHYZy3HCZtdl9sOvHc49mb4tgD4t28vdveiU1ObDW4w55FUsW LIXWg09QbdCX4MjSqDIgUwE7ooGda5BT4rTuKfi1GsP7xrSWwFGIW4ffdjZC+1/bLu89 OfCGK7UExbWMXc9aN71yiCxOnhurCCX9oV8UDbPkyY0eim96Mej0g/Bm55nD3LCIrKHe bCXwCgUsefeV6GyWdeCjVcARow7VLfgRU/U0X/E2G+7DeDBZoa5WZ4syW8Q8yyMKMOnu /p9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=Snil5ihZSCTifJFiz1FUD3f0+C+G8HdpNNoJlLbLRPo=; b=NcmgNd2P9l77tGiNW7NRom6WuMHhVc9i1AtMpfxsIiTtlTKvnt27+lkA5MsEVKXMW0 KeJQLc9WsQ7FYMxJrB4os5gqRftqSjMnEQfCDcd14nIjzs/S5PA0s5mUd/6p1cU9+ew0 UhxxtQih7kWXRVFUP/bL+7cVxvf5YYZKzzmHYzHtkSfDah8h8KiiqarDeht3uY9Wv8QU B1hAQXwGJHyysun3USh9gH5rUDtIiPmxUJ6lIJZTPdj8yEK38dwmw1yr746Z82a3QlDk KVkBPTF+vdaZNvSjOSdR6a02HpNH4HYhCt+D0Fx1ljYkVT3BcZMVzNBtqxHeMkHvSCmq 0Jrw== X-Gm-Message-State: AMCzsaX06Zkktskij46p/RZZv0mmuSR6A3L0wwN+HQ8fYAmwdfP2vipj nBqSNrbkje0KMVisDrAAII4= X-Google-Smtp-Source: AOwi7QCnWz88S6vlS5NV/OIwaW1ln5lmG38TRt83fsx4t1xlKKKQkXvZLGAO1cKIh39oMAeIg3xhqw== X-Received: by 10.107.180.4 with SMTP id d4mr1575788iof.159.1507197011481; Thu, 05 Oct 2017 02:50:11 -0700 (PDT) Received: from [192.168.86.171] (c-67-180-167-114.hsd1.ca.comcast.net. [67.180.167.114]) by smtp.googlemail.com with ESMTPSA id f4sm8265276itf.27.2017.10.05.02.50.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Oct 2017 02:50:10 -0700 (PDT) Message-ID: <1507197007.14419.15.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user From: Eric Dumazet To: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal Cc: netfilter-devel@vger.kernel.org, netdev , Willem de Bruijn , netdev Date: Thu, 05 Oct 2017 02:50:07 -0700 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Eric Dumazet syzkaller reports an out of bound read in strlcpy(), triggered by xt_copy_counters_from_user() Fix this by using memcpy(), then forcing a zero byte at the last position of the destination, as Florian did for the non COMPAT code. Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Acked-by: Florian Westphal --- net/netfilter/x_tables.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len, if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) return ERR_PTR(-EFAULT); - strlcpy(info->name, compat_tmp.name, sizeof(info->name)); + memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); info->num_counters = compat_tmp.num_counters; user += sizeof(compat_tmp); } else @@ -905,9 +905,9 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len, if (copy_from_user(info, user, sizeof(*info)) != 0) return ERR_PTR(-EFAULT); - info->name[sizeof(info->name) - 1] = '\0'; user += sizeof(*info); } + info->name[sizeof(info->name) - 1] = '\0'; size = sizeof(struct xt_counters); size *= info->num_counters;