From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jann Horn <jannh@google.com>
Cc: Willem de Bruijn <willemb@google.com>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Florian Westphal <fw@strlen.de>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, coreteam@netfilter.org,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: add overflow checks in xt_bpf.c
Date: Mon, 4 Dec 2017 11:36:03 +0100 [thread overview]
Message-ID: <20171204103603.GA16237@salvia> (raw)
In-Reply-To: <20171201004607.7389-1-jannh@google.com>
On Fri, Dec 01, 2017 at 01:46:07AM +0100, Jann Horn wrote:
> Check whether inputs from userspace are too long (explicit length field too
> big or string not null-terminated) to avoid out-of-bounds reads.
>
> As far as I can tell, this can at worst lead to very limited kernel heap
> memory disclosure or oopses.
>
> This bug can be triggered by an unprivileged user even if the xt_bpf module
> is not loaded: iptables is available in network namespaces, and the xt_bpf
> module can be autoloaded.
>
> Triggering the bug with a classic BPF filter with fake length 0x1000 causes
> the following KASAN report:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0
> Read of size 32768 at addr ffff8801eff2c494 by task test/4627
>
> CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1
> [...]
> Call Trace:
> dump_stack+0x5c/0x85
> print_address_description+0x6a/0x260
> kasan_report+0x254/0x370
> ? bpf_prog_create+0x84/0xf0
> memcpy+0x1f/0x50
> bpf_prog_create+0x84/0xf0
> bpf_mt_check+0x90/0xd6 [xt_bpf]
> [...]
> Allocated by task 4627:
> kasan_kmalloc+0xa0/0xd0
> __kmalloc_node+0x47/0x60
> xt_alloc_table_info+0x41/0x70 [x_tables]
> [...]
> The buggy address belongs to the object at ffff8801eff2c3c0
> which belongs to the cache kmalloc-2048 of size 2048
> The buggy address is located 212 bytes inside of
> 2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0)
> [...]
> ==================================================================
Applied, thanks.
prev parent reply other threads:[~2017-12-04 10:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-01 0:46 [PATCH] netfilter: add overflow checks in xt_bpf.c Jann Horn
2017-12-01 4:04 ` Willem de Bruijn
2017-12-01 4:08 ` Jann Horn
2017-12-01 4:11 ` Willem de Bruijn
2017-12-04 10:36 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171204103603.GA16237@salvia \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=jannh@google.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.