lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Oct 2017 15:05:12 +0200 From: Pablo Neira Ayuso <pablo@...filter.org> To: Florian Westphal <fw@...len.de> Cc: Eric Dumazet <eric.dumazet@...il.com>, Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>, netfilter-devel@...r.kernel.org, netdev <netdev@...r.kernel.org>, Willem de Bruijn <willemb@...gle.com> Subject: Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user On Thu, Oct 05, 2017 at 11:56:44AM +0200, Florian Westphal wrote: > Eric Dumazet <eric.dumazet@...il.com> wrote: > > From: Eric Dumazet <edumazet@...gle.com> > > > > syzkaller reports an out of bound read in strlcpy(), triggered > > by xt_copy_counters_from_user() > > > > Fix this by using memcpy(), then forcing a zero byte at the last position > > of the destination, as Florian did for the non COMPAT code. > > > > Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user") > > Signed-off-by: Eric Dumazet <edumazet@...gle.com> > > Cc: Willem de Bruijn <willemb@...gle.com> > > --- > > net/netfilter/x_tables.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > > index c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712 100644 > > --- a/net/netfilter/x_tables.c > > +++ b/net/netfilter/x_tables.c > > @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len, > > if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) > > return ERR_PTR(-EFAULT); > > > > - strlcpy(info->name, compat_tmp.name, sizeof(info->name)); > > + memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); > > Argh, right, compat_tmp.name might not be 0 terminated :-/ > > Acked-by: Florian Westphal <fw@...len.de> Applied to nf, thanks.
Powered by blists - more mailing lists