Message-Id: <20241112113434.58975-1-aha310510@gmail.com>
Date: Tue, 12 Nov 2024 20:34:34 +0900
From: Jeongjun Park <aha310510@...il.com>
To: pablo@...filter.org,
	kadlec@...filter.org
Cc: davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	kaber@...sh.net,
	netfilter-devel@...r.kernel.org,
	coreteam@...filter.org,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	stable@...r.kernel.org,
	syzbot+58c872f7790a4d2ac951@...kaller.appspotmail.com,
	Jeongjun Park <aha310510@...il.com>
Subject: [PATCH net] netfilter: ipset: add missing range check in bitmap_ip_uadt

In the bitmap_ip_uadt function, if ip is greater than ip_to, they are swapped.
However, there is no check to see if ip is smaller than map->first, which
causes an out-of-bounds vulnerability. Therefore, you need to add a missing
bounds check to prevent out-of-bounds.

Cc: <stable@...r.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@...kaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@...il.com>
---
 net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index e4fa00abde6a..705c316b001a 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -178,7 +178,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ip_to = ip;
 	}
 
-	if (ip_to > map->last_ip)
+	if (ip < map->first_ip || ip_to > map->last_ip)
 		return -IPSET_ERR_BITMAP_RANGE;
 
 	for (; !before(ip_to, ip); ip += map->hosts) {
--

Powered by blists - more mailing lists