From patchwork Thu Jul 22 15:12:08 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Benjamin M Romer <benjamin.romer@canonical.com>
X-Patchwork-Id: 1508756
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=fc/sSM5N;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GVwtT676bz9sW5;
	Fri, 23 Jul 2021 01:12:49 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1m6aNS-00037b-Sv; Thu, 22 Jul 2021 15:12:46 +0000
Received: from smtp-relay-canonical-1.internal ([10.131.114.174]
 helo=smtp-relay-canonical-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <benjamin.romer@canonical.com>) id 1m6aNQ-000379-Bp
 for kernel-team@lists.ubuntu.com; Thu, 22 Jul 2021 15:12:44 +0000
Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com
 [209.85.160.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPS id 33C983F341
 for <kernel-team@lists.ubuntu.com>; Thu, 22 Jul 2021 15:12:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1626966764;
 bh=EgwA6l8CwYP7GVMdT8HvewLEB7nI53sXecnHAzyeGtI=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=fc/sSM5NBtNnsHzNDfjQR/rz55L8m0XksCsDJ1mT0kAtDQHdUvfJZE3jz5AxaHrw3
 H8tyOd7vuLnRHA4aNt4T3abbXRKyXEBIy2n7RXSyPJ//b0/OP9N10UD/gVoZVHLQag
 P2KNFaMOzYUQ+wdHNkSPk/XGYJFiDAGNPAPZcZEPy9JkLHsul/U53PFkr4p4u1kYs4
 DR8gMUCCgc0hwBZbNET2PQNkaq4sR4bnsNPUjTl8RU4cuftpNoytS/WAeyRftz4EZ8
 dz8r2WJxGC+krAkMOriFDmy1DsqafO8Y6G4hVoVc1XRYitwgamLy9KqpgOthHsIQN7
 ruVHzebjueIbg==
Received: by mail-qt1-f199.google.com with SMTP id
 q1-20020a05622a0301b029025f76cabdfcso3502148qtw.15
 for <kernel-team@lists.ubuntu.com>; Thu, 22 Jul 2021 08:12:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=EgwA6l8CwYP7GVMdT8HvewLEB7nI53sXecnHAzyeGtI=;
 b=eSY3jfPBqo3MGgeEhKS9gVpA2jn6nzfatf1tyHY8fLboOFK+Xg/jaZTmiiqYADV3XD
 c3H93Ke6DwjOHfxNR68HOSjIxiB2hJLZerEiNap/9EHfedoZvLTL6q7770XwYeyus/Rd
 u/UnfQZ7aL1e/eE4ALQfBk/97WhRmVy7ZUGtAYMISwEWaRLS5JP0/fhPihlTZF5CBB7K
 Nm83S6PhNyKLUzuNBN2fkidq/I3GTovTZwPbAau7Nln3fTDIlnRNbHTAiSgDQxXLpeKG
 oUhmx1LdSCmwFU/hN+CnwU5GdDDQRueyxSSK/oE9Udle/PPSieqqjrTQK71UA0VzjeE2
 uQJg==
X-Gm-Message-State: AOAM532gTJ9bE1/LlBKRFVuJovXXEvKumIKgRRZL5+L3E0nGq6b+hoSx
 Cs8133wpLxJCFcWE4lmzTw3MBl/0/1N3F6AFSttAbzKWNpuB7q0d0/SJZsMfB1iT5Q3od3z1Zqb
 tj0Ni8noPfsAnqZHOfmxiq5+6O5C5qYY3IN7+BLM6lg==
X-Received: by 2002:a37:e02:: with SMTP id 2mr207356qko.10.1626966763024;
 Thu, 22 Jul 2021 08:12:43 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyySCdCnqVmH+uV7nwjHOMwXJ9JlU3r+Bo7aark8xyIW06XMnNOpdzWmhOy01db1GdIW6nP7Q==
X-Received: by 2002:a37:e02:: with SMTP id 2mr207339qko.10.1626966762844;
 Thu, 22 Jul 2021 08:12:42 -0700 (PDT)
Received: from tamamo ([2601:42:c101:6b70:267c:4ab4:7aa1:f9da])
 by smtp.gmail.com with ESMTPSA id i123sm11342664qkf.60.2021.07.22.08.12.42
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 22 Jul 2021 08:12:42 -0700 (PDT)
Received: from ben by tamamo with local (Exim 4.94)
 (envelope-from <ben@tamamo>) id 1m6aND-00FQ1L-3h
 for kernel-team@lists.ubuntu.com; Thu, 22 Jul 2021 11:12:31 -0400
From: Benjamin M Romer <benjamin.romer@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [bionic:linux-hwe][PATCH 1/1] netfilter: x_tables: fix compat
 match/target pad out-of-bound write
Date: Thu, 22 Jul 2021 11:12:08 -0400
Message-Id: <20210722151208.3674880-2-benjamin.romer@canonical.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210722151208.3674880-1-benjamin.romer@canonical.com>
References: <20210722151208.3674880-1-benjamin.romer@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Florian Westphal <fw@strlen.de>

xt_compat_match/target_from_user doesn't check that zeroing the area
to start of next rule won't write past end of allocated ruleset blob.

Remove this code and zero the entire blob beforehand.

Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
Reported-by: Andy Nguyen <theflow@google.com>
Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

(cherry picked from commit b29c457a6511435960115c0f548c4360d5f4801d)
CVE-2021-22555
Signed-off-by: Benjamin M Romer <benjamin.romer@canonical.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
---
 net/ipv4/netfilter/arp_tables.c |  2 ++
 net/ipv4/netfilter/ip_tables.c  |  2 ++
 net/ipv6/netfilter/ip6_tables.c |  2 ++
 net/netfilter/x_tables.c        | 10 ++--------
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 557c295f2d9a..8e12b90a4c73 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1213,6 +1213,8 @@ static int translate_compat_table(struct net *net,
 	if (!newinfo)
 		goto out_unlock;
 
+	memset(newinfo->entries, 0, size);
+
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3a14153b8d07..aecb29c8bf82 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1447,6 +1447,8 @@ translate_compat_table(struct net *net,
 	if (!newinfo)
 		goto out_unlock;
 
+	memset(newinfo->entries, 0, size);
+
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index d7c16a30156f..e9a0c136bfe7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1462,6 +1462,8 @@ translate_compat_table(struct net *net,
 	if (!newinfo)
 		goto out_unlock;
 
+	memset(newinfo->entries, 0, size);
+
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 44f971f31992..08105fd677e4 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -731,7 +731,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
 {
 	const struct xt_match *match = m->u.kernel.match;
 	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
-	int pad, off = xt_compat_match_offset(match);
+	int off = xt_compat_match_offset(match);
 	u_int16_t msize = cm->u.user.match_size;
 	char name[sizeof(m->u.user.name)];
 
@@ -741,9 +741,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
 		match->compat_from_user(m->data, cm->data);
 	else
 		memcpy(m->data, cm->data, msize - sizeof(*cm));
-	pad = XT_ALIGN(match->matchsize) - match->matchsize;
-	if (pad > 0)
-		memset(m->data + match->matchsize, 0, pad);
 
 	msize += off;
 	m->u.user.match_size = msize;
@@ -1114,7 +1111,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
 {
 	const struct xt_target *target = t->u.kernel.target;
 	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
-	int pad, off = xt_compat_target_offset(target);
+	int off = xt_compat_target_offset(target);
 	u_int16_t tsize = ct->u.user.target_size;
 	char name[sizeof(t->u.user.name)];
 
@@ -1124,9 +1121,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
 		target->compat_from_user(t->data, ct->data);
 	else
 		memcpy(t->data, ct->data, tsize - sizeof(*ct));
-	pad = XT_ALIGN(target->targetsize) - target->targetsize;
-	if (pad > 0)
-		memset(t->data + target->targetsize, 0, pad);
 
 	tsize += off;
 	t->u.user.target_size = tsize;