From: Eric Dumazet <eric.dumazet@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>
Cc: netdev <netdev@vger.kernel.org>, netfilter-devel@vger.kernel.org
Subject: [PATCH v2 net] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
Date: Wed, 24 Jan 2018 17:16:09 -0800 [thread overview]
Message-ID: <1516842969.3715.41.camel@gmail.com> (raw)
In-Reply-To: <20180125001336.ilboagwlcpck54ip@salvia>
From: Eric Dumazet <edumazet@google.com>
It looks like syzbot found its way into netfilter territory.
Issue here is that @name comes from user space and might
not be null terminated.
Out-of-bound reads happen, KASAN is not happy.
v2 added similar fix for xt_request_find_target(),
as Florian advised.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
No Fixes: tag, bug seems to be a day-0 one.
net/netfilter/x_tables.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 55802e97f906d1987ed78b4296584deb38e5f876..ecffc51ce83b07c063a0db67cdb33d9bf48a75ac 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -210,6 +210,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
{
struct xt_match *match;
+ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return ERR_PTR(-EINVAL);
+
match = xt_find_match(nfproto, name, revision);
if (IS_ERR(match)) {
request_module("%st_%s", xt_prefix[nfproto], name);
@@ -252,6 +255,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
{
struct xt_target *target;
+ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return ERR_PTR(-EINVAL);
+
target = xt_find_target(af, name, revision);
if (IS_ERR(target)) {
request_module("%st_%s", xt_prefix[af], name);
next prev parent reply other threads:[~2018-01-25 1:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-24 22:49 [PATCH net] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_match() Eric Dumazet
2018-01-24 23:19 ` Florian Westphal
2018-01-24 23:50 ` Pablo Neira Ayuso
2018-01-25 0:13 ` Pablo Neira Ayuso
2018-01-25 1:13 ` Eric Dumazet
2018-01-25 1:16 ` Eric Dumazet [this message]
2018-01-25 6:09 ` [PATCH v2 net] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} Florian Westphal
2018-01-25 11:33 ` Pablo Neira Ayuso
2018-01-24 23:49 ` [PATCH net] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_match() Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1516842969.3715.41.camel@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.