| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180305143235.GK11889@breakpoint.cc>
Date: Mon, 5 Mar 2018 15:32:35 +0100
From: Florian Westphal <fw@...len.de>
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, Pablo Neira Ayuso <pablo@...filter.org>,
Florian Westphal <fw@...len.de>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
Stephen Hemminger <stephen@...workplumber.org>,
netfilter-devel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH net] netfilter: check for out-of-bounds while copying
compat entries
Paolo Abeni <pabeni@...hat.com> wrote:
> Currently, when coping ebt compat entries, no checks are in place
> for the offsets provided by user space, so that syzbot was able to
> trigger the following splat:
> ---
> net/bridge/netfilter/ebtables.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 02c4b409d317..54ceaff701fb 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -2114,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
> unsigned int size;
> char *buf = buf_start + offsets[i];
>
> - if (offsets[i] > offsets[j])
> + if (offsets[i] > offsets[j] || offsets[j] > *total)
> return -EINVAL;
I thought i fixed this via b71812168571fa55e44cdd0254471331b9c4c4c6,
and, after looking at it again I still don't see why that doesn't cover
this :-(
Powered by blists - more mailing lists