lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 Jan 2020 22:11:09 +0100
From:   Florian Westphal <fw@...len.de>
To:     <netfilter-devel@...r.kernel.org>
Cc:     <netdev@...r.kernel.org>, syzkaller-bugs@...glegroups.com,
        Florian Westphal <fw@...len.de>,
        syzbot+156a04714799b1d480bc@...kaller.appspotmail.com
Subject: [PATCH nf] netfilter: nf_tables: check for valid chain type pointer before dereference

Its possible to create tables in a family that isn't supported/known.
Then, when adding a base chain, the table pointer can be NULL.

This gets us a NULL ptr dereference in nf_tables_addchain().

Fixes: baae3e62f31618 ("netfilter: nf_tables: fix chain type module reference handling")
Reported-by: syzbot+156a04714799b1d480bc@...kaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@...len.de>
---
 net/netfilter/nf_tables_api.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 65f51a2e9c2a..e8976128cdb1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -953,6 +953,9 @@ static int nf_tables_newtable(struct net *net, struct sock *nlsk,
 	struct nft_ctx ctx;
 	int err;
 
+	if (family >= NFPROTO_NUMPROTO)
+		return -EAFNOSUPPORT;
+
 	lockdep_assert_held(&net->nft.commit_mutex);
 	attr = nla[NFTA_TABLE_NAME];
 	table = nft_table_lookup(net, attr, family, genmask);
@@ -1765,6 +1768,9 @@ static int nft_chain_parse_hook(struct net *net,
 	    ha[NFTA_HOOK_PRIORITY] == NULL)
 		return -EINVAL;
 
+	if (family >= NFPROTO_NUMPROTO)
+		return -EAFNOSUPPORT;
+
 	hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
 	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
 
@@ -1774,6 +1780,8 @@ static int nft_chain_parse_hook(struct net *net,
 						   family, autoload);
 		if (IS_ERR(type))
 			return PTR_ERR(type);
+	} else if (!type) {
+		return -EOPNOTSUPP;
 	}
 	if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
 		return -EOPNOTSUPP;
-- 
2.24.1

Powered by blists - more mailing lists