From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 3.14 15/29] netfilter: x_tables: validate e->target_offset early
Date: Wed, 22 Jun 2016 15:37:23 -0700 [thread overview]
Message-ID: <20160622223531.358605234@linuxfoundation.org> (raw)
In-Reply-To: <20160622223530.496939726@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit bdf533de6968e9686df777dc178486f600c6e617 upstream.
We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/netfilter/arp_tables.c | 17 ++++++++---------
net/ipv4/netfilter/ip_tables.c | 17 ++++++++---------
net/ipv6/netfilter/ip6_tables.c | 17 ++++++++---------
3 files changed, 24 insertions(+), 27 deletions(-)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -470,14 +470,12 @@ static int mark_source_chains(const stru
return 1;
}
-static inline int check_entry(const struct arpt_entry *e, const char *name)
+static inline int check_entry(const struct arpt_entry *e)
{
const struct xt_entry_target *t;
- if (!arp_checkentry(&e->arp)) {
- duprintf("arp_tables: arp check failed %p %s.\n", e, name);
+ if (!arp_checkentry(&e->arp))
return -EINVAL;
- }
if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
return -EINVAL;
@@ -518,10 +516,6 @@ find_check_entry(struct arpt_entry *e, c
struct xt_target *target;
int ret;
- ret = check_entry(e, name);
- if (ret)
- return ret;
-
t = arpt_get_target(e);
target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
t->u.user.revision);
@@ -566,6 +560,7 @@ static inline int check_entry_size_and_h
unsigned int valid_hooks)
{
unsigned int h;
+ int err;
if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
(unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
@@ -580,6 +575,10 @@ static inline int check_entry_size_and_h
return -EINVAL;
}
+ err = check_entry(e);
+ if (err)
+ return err;
+
/* Check hooks & underflows */
for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1237,7 +1236,7 @@ check_compat_entry_size_and_hooks(struct
}
/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct arpt_entry *)e, name);
+ ret = check_entry((struct arpt_entry *)e);
if (ret)
return ret;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -565,14 +565,12 @@ static void cleanup_match(struct xt_entr
}
static int
-check_entry(const struct ipt_entry *e, const char *name)
+check_entry(const struct ipt_entry *e)
{
const struct xt_entry_target *t;
- if (!ip_checkentry(&e->ip)) {
- duprintf("ip check failed %p %s.\n", e, name);
+ if (!ip_checkentry(&e->ip))
return -EINVAL;
- }
if (e->target_offset + sizeof(struct xt_entry_target) >
e->next_offset)
@@ -662,10 +660,6 @@ find_check_entry(struct ipt_entry *e, st
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;
- ret = check_entry(e, name);
- if (ret)
- return ret;
-
j = 0;
mtpar.net = net;
mtpar.table = name;
@@ -729,6 +723,7 @@ check_entry_size_and_hooks(struct ipt_en
unsigned int valid_hooks)
{
unsigned int h;
+ int err;
if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
(unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
@@ -743,6 +738,10 @@ check_entry_size_and_hooks(struct ipt_en
return -EINVAL;
}
+ err = check_entry(e);
+ if (err)
+ return err;
+
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1503,7 +1502,7 @@ check_compat_entry_size_and_hooks(struct
}
/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ipt_entry *)e, name);
+ ret = check_entry((struct ipt_entry *)e);
if (ret)
return ret;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -575,14 +575,12 @@ static void cleanup_match(struct xt_entr
}
static int
-check_entry(const struct ip6t_entry *e, const char *name)
+check_entry(const struct ip6t_entry *e)
{
const struct xt_entry_target *t;
- if (!ip6_checkentry(&e->ipv6)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+ if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- }
if (e->target_offset + sizeof(struct xt_entry_target) >
e->next_offset)
@@ -673,10 +671,6 @@ find_check_entry(struct ip6t_entry *e, s
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;
- ret = check_entry(e, name);
- if (ret)
- return ret;
-
j = 0;
mtpar.net = net;
mtpar.table = name;
@@ -740,6 +734,7 @@ check_entry_size_and_hooks(struct ip6t_e
unsigned int valid_hooks)
{
unsigned int h;
+ int err;
if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
(unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
@@ -754,6 +749,10 @@ check_entry_size_and_hooks(struct ip6t_e
return -EINVAL;
}
+ err = check_entry(e);
+ if (err)
+ return err;
+
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1515,7 +1514,7 @@ check_compat_entry_size_and_hooks(struct
}
/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ip6t_entry *)e, name);
+ ret = check_entry((struct ip6t_entry *)e);
if (ret)
return ret;
next prev parent reply other threads:[~2016-06-22 23:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 22:37 [PATCH 3.14 00/29] 3.14.73-stable review Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 01/29] netlink: Fix dump skb leak/double free Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 02/29] sfc: on MC reset, clear PIO buffer linkage in TXQs Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 03/29] tcp: record TLP and ER timer stats in v6 stats Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 05/29] ARM: fix PTRACE_SETVFPREGS on SMP systems Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 06/29] crypto: ccp - Fix AES XTS error for request sizes above 4096 Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 07/29] powerpc: Fix definition of SIAR and SDAR registers Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 08/29] powerpc: Use privileged SPR number for MMCR2 Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 09/29] parisc: Fix pagefault crash in unaligned __get_user() call Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 10/29] ecryptfs: forbid opening files without mmap handler Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 11/29] wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 12/29] fix d_walk()/non-delayed __d_free() race Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 13/29] MIPS: Fix 64k page support for 32 bit kernels Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 14/29] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Greg Kroah-Hartman
2016-06-22 22:37 ` Greg Kroah-Hartman [this message]
2016-06-22 22:37 ` [PATCH 3.14 16/29] netfilter: x_tables: make sure e->next_offset covers remaining blob size Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 17/29] netfilter: x_tables: fix unconditional helper Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 18/29] xfs: fix up backport error in fs/xfs/xfs_inode.c Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 19/29] pipe: limit the per-user amount of pages allocated in pipes Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 20/29] netfilter: x_tables: dont move to non-existent next rule Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 21/29] netfilter: x_tables: validate targets of jumps Greg Kroah-Hartman
2016-06-23 8:54 ` Florian Westphal
2016-06-23 9:13 ` Florian Westphal
2016-06-24 2:46 ` Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 22/29] netfilter: x_tables: add and use xt_check_entry_offsets Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 23/29] netfilter: x_tables: kill check_entry helper Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 24/29] netfilter: x_tables: assert minimum target size Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 25/29] netfilter: x_tables: add compat version of xt_check_entry_offsets Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 26/29] netfilter: x_tables: check standard target size too Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 27/29] netfilter: x_tables: check for bogus target offset Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 28/29] netfilter: x_tables: validate all offsets and sizes in a rule Greg Kroah-Hartman
2016-06-22 22:37 ` [PATCH 3.14 29/29] netfilter: x_tables: dont reject valid target size on some architectures Greg Kroah-Hartman
2016-06-23 4:54 ` [PATCH 3.14 00/29] 3.14.73-stable review -rc2 Greg Kroah-Hartman
2016-06-23 19:41 ` Guenter Roeck
2016-06-23 21:54 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160622223531.358605234@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.