lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Feb 2020 14:37:16 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Cong Wang <xiyou.wangcong@...il.com>, Florian Westphal <fw@...len.de>, Pablo Neira Ayuso <pablo@...filter.org>, syzbot+adf6c6c2be1c3a718121@...kaller.appspotmail.com Subject: [PATCH 4.9 162/165] netfilter: xt_hashlimit: limit the max size of hashtable From: Cong Wang <xiyou.wangcong@...il.com> commit 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 upstream. The user-specified hashtable size is unbound, this could easily lead to an OOM or a hung task as we hold the global mutex while allocating and initializing the new hashtable. Add a max value to cap both cfg->size and cfg->max, as suggested by Florian. Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@...kaller.appspotmail.com Signed-off-by: Cong Wang <xiyou.wangcong@...il.com> Reviewed-by: Florian Westphal <fw@...len.de> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- net/netfilter/xt_hashlimit.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -735,6 +735,8 @@ hashlimit_mt(const struct sk_buff *skb, return hashlimit_mt_common(skb, par, hinfo, &info->cfg, 2); } +#define HASHLIMIT_MAX_SIZE 1048576 + static int hashlimit_mt_check_common(const struct xt_mtchk_param *par, struct xt_hashlimit_htable **hinfo, struct hashlimit_cfg2 *cfg, @@ -745,6 +747,14 @@ static int hashlimit_mt_check_common(con if (cfg->gc_interval == 0 || cfg->expire == 0) return -EINVAL; + if (cfg->size > HASHLIMIT_MAX_SIZE) { + cfg->size = HASHLIMIT_MAX_SIZE; + pr_info_ratelimited("size too large, truncated to %u\n", cfg->size); + } + if (cfg->max > HASHLIMIT_MAX_SIZE) { + cfg->max = HASHLIMIT_MAX_SIZE; + pr_info_ratelimited("max too large, truncated to %u\n", cfg->max); + } if (par->family == NFPROTO_IPV4) { if (cfg->srcmask > 32 || cfg->dstmask > 32) return -EINVAL;
Powered by blists - more mailing lists