lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon,  5 Mar 2018 15:07:36 +0100
From:   Paolo Abeni <pabeni@...hat.com>
To:     netdev@...r.kernel.org
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        Florian Westphal <fw@...len.de>,
        Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
        Stephen Hemminger <stephen@...workplumber.org>,
        netfilter-devel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: [PATCH net] netfilter: check for out-of-bounds while copying compat entries

Currently, when coping ebt compat entries, no checks are in place
for the offsets provided by user space, so that syzbot was able to
trigger the following splat:

BUG: unable to handle kernel paging request at ffffc90001819e4f
IP: ebt_size_mwt net/bridge/netfilter/ebtables.c:2037 [inline]
IP: size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
IP: compat_copy_entries+0x49f/0x1050 net/bridge/netfilter/ebtables.c:2160
PGD 1dad2f067 P4D 1dad2f067 PUD 1dad30067 PMD 1b2408067 PTE 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4249 Comm: syz-executor0 Not tainted 4.16.0-rc3+ #248
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ebt_size_mwt net/bridge/netfilter/ebtables.c:2037 [inline]
RIP: 0010:size_entry_mwt net/bridge/netfilter/ebtables.c:2122 [inline]
RIP: 0010:compat_copy_entries+0x49f/0x1050
net/bridge/netfilter/ebtables.c:2160
RSP: 0018:ffff8801b34bf7e8 EFLAGS: 00010246
RAX: 000000000000000a RBX: ffff8801b34bf9d4 RCX: ffffc90001819e4f
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801b34bf9d8
RBP: ffff8801b34bf968 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff88613340 R11: 0000000000000001 R12: 000000000000ee5f
R13: dffffc0000000000 R14: ffff8801b34bf9c8 R15: ffffc90001819e2f
FS:  0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000085b9900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffffc90001819e4f CR3: 00000001b2bd7003 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  compat_do_replace+0x398/0x7c0 net/bridge/netfilter/ebtables.c:2249
  compat_do_ebt_set_ctl+0x22a/0x2d0 net/bridge/netfilter/ebtables.c:2330
  compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
  compat_nf_setsockopt+0x88/0x130 net/netfilter/nf_sockopt.c:156
  compat_ip_setsockopt+0x8b/0xd0 net/ipv4/ip_sockglue.c:1285
  inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:1041
  compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2916
  compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2986
  C_SYSC_setsockopt net/compat.c:403 [inline]
  compat_SyS_setsockopt+0x17c/0x410 net/compat.c:386
  do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
  do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fbbc99
RSP: 002b:00000000ffd5ab8c EFLAGS: 00000286 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020000280 RDI: 0000000000000208
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: 8d 4f 20 48 89 c8 48 89 8d c8 fe ff ff 48 c1 e8 03 42 0f b6 14 28 48
89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 b2 0a 00 00 <45> 8b 67 20
44 39 a5 04 ff ff ff 0f 82 bd 08 00 00 e8 cb 52 56

This change addresses the issue, checking that the provided offset are
all inside the provided buffer.

Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-and-tested-by: syzbot+5705ba91388d7bc30828@...kaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@...hat.com>
---
 net/bridge/netfilter/ebtables.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 02c4b409d317..54ceaff701fb 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2114,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
 		unsigned int size;
 		char *buf = buf_start + offsets[i];
 
-		if (offsets[i] > offsets[j])
+		if (offsets[i] > offsets[j] || offsets[j] > *total)
 			return -EINVAL;
 
 		match32 = (struct compat_ebt_entry_mwt *) buf;
-- 
2.14.3

Powered by blists - more mailing lists