| Message ID | 20180514054128.9385-2-khalid.elmously@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2018-1068 | expand |
On Mon, May 14, 2018 at 01:41:28AM -0400, Khalid Elmously wrote: > From: Florian Westphal <fw@strlen.de> > > CVE-2018-1068 > > We need to make sure the offsets are not out of range of the > total size. > Also check that they are in ascending order. > > The WARN_ON triggered by syzkaller (it sets panic_on_warn) is > changed to also bail out, no point in continuing parsing. > > Briefly tested with simple ruleset of > -A INPUT --limit 1/s' --log > plus jump to custom chains using 32bit ebtables binary. > > Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> > Signed-off-by: Florian Westphal <fw@strlen.de> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry-picked from b71812168571fa55e44cdd0254471331b9c4c4c6) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > net/bridge/netfilter/ebtables.c | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c > index 9c6e619f452b..6890bb669197 100644 > --- a/net/bridge/netfilter/ebtables.c > +++ b/net/bridge/netfilter/ebtables.c > @@ -2061,7 +2061,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, > if (match_kern) > match_kern->match_size = ret; > > - WARN_ON(type == EBT_COMPAT_TARGET && size_left); > + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) > + return -EINVAL; > + > match32 = (struct compat_ebt_entry_mwt *) buf; > } > > @@ -2117,6 +2119,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, > * > * offsets are relative to beginning of struct ebt_entry (i.e., 0). > */ > + for (i = 0; i < 4 ; ++i) { > + if (offsets[i] >= *total) > + return -EINVAL; > + if (i == 0) > + continue; > + if (offsets[i-1] > offsets[i]) > + return -EINVAL; > + } > + > for (i = 0, j = 1 ; j < 4 ; j++, i++) { > struct compat_ebt_entry_mwt *match32; > unsigned int size; > -- > 2.17.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Looks to be sane to me. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On 05/14/18 07:41, Khalid Elmously wrote: > From: Florian Westphal <fw@strlen.de> > > CVE-2018-1068 > > We need to make sure the offsets are not out of range of the > total size. > Also check that they are in ascending order. > > The WARN_ON triggered by syzkaller (it sets panic_on_warn) is > changed to also bail out, no point in continuing parsing. > > Briefly tested with simple ruleset of > -A INPUT --limit 1/s' --log > plus jump to custom chains using 32bit ebtables binary. > > Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> > Signed-off-by: Florian Westphal <fw@strlen.de> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry-picked from b71812168571fa55e44cdd0254471331b9c4c4c6) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> Clean cherry-pick: Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> As Andy mentioned on the other email, by the CVE matrix it seems that trusty/linux needs the fix as well. Thanks, Kleber > --- > net/bridge/netfilter/ebtables.c | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c > index 9c6e619f452b..6890bb669197 100644 > --- a/net/bridge/netfilter/ebtables.c > +++ b/net/bridge/netfilter/ebtables.c > @@ -2061,7 +2061,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, > if (match_kern) > match_kern->match_size = ret; > > - WARN_ON(type == EBT_COMPAT_TARGET && size_left); > + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) > + return -EINVAL; > + > match32 = (struct compat_ebt_entry_mwt *) buf; > } > > @@ -2117,6 +2119,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, > * > * offsets are relative to beginning of struct ebt_entry (i.e., 0). > */ > + for (i = 0; i < 4 ; ++i) { > + if (offsets[i] >= *total) > + return -EINVAL; > + if (i == 0) > + continue; > + if (offsets[i-1] > offsets[i]) > + return -EINVAL; > + } > + > for (i = 0, j = 1 ; j < 4 ; j++, i++) { > struct compat_ebt_entry_mwt *match32; > unsigned int size; >
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 9c6e619f452b..6890bb669197 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2061,7 +2061,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, if (match_kern) match_kern->match_size = ret; - WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; } @@ -2117,6 +2119,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size;