lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Apr 2018 11:26:22 +0200 From: Florian Westphal <fw@...len.de> To: Paolo Abeni <pabeni@...hat.com> Cc: netfilter-devel@...r.kernel.org, syzbot <syzbot+4e42a04e0bc33cb6c087@...kaller.appspotmail.com>, fw@...len.de, coreteam@...filter.org, syzkaller-bugs@...glegroups.com, netdev@...r.kernel.org Subject: Re: [PATCH] netfilter: ebtables: handle string from userspace with care Paolo Abeni <pabeni@...hat.com> wrote: > strlcpy() can't be safely used on a user-space provided string, > as it can try to read beyond the buffer's end, if the latter is > not NULL terminated. Yes. > Leveraging the above, syzbot has been able to trigger the following > splat: > > BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 > [inline] > BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user > net/bridge/netfilter/ebtables.c:1957 [inline] > BUG: KASAN: stack-out-of-bounds in ebt_size_mwt > net/bridge/netfilter/ebtables.c:2059 [inline] > BUG: KASAN: stack-out-of-bounds in size_entry_mwt > net/bridge/netfilter/ebtables.c:2155 [inline] > BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 > net/bridge/netfilter/ebtables.c:2194 > Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 Which is weird, I don't understand this report. The code IS wrong, but it should cause out-of-bounds read (strlen on src), but not out-of-bounds write. Yes, I sent a recent patch (dceb48d86b4871984b8ce9ad5057fb2c01aa33de in nf.git) that would now allow to get rid of the strlcpy and use the source directly.
Powered by blists - more mailing lists