From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, hch@lst.de,
syzkaller-bugs@googlegroups.com, netdev@vger.kernel.org,
syzbot+5accb5c62faa1d346480@syzkaller.appspotmail.com
Subject: Re: [PATCH nf] netfilter/ebtables: reject bogus getopt len value
Date: Fri, 14 Aug 2020 11:59:43 +0200 [thread overview]
Message-ID: <20200814095943.GC5816@salvia> (raw)
In-Reply-To: <20200813074611.281558-1-fw@strlen.de>
On Thu, Aug 13, 2020 at 09:46:11AM +0200, Florian Westphal wrote:
> syzkaller reports splat:
> ------------[ cut here ]------------
> Buffer overflow detected (80 < 137)!
> Call Trace:
> do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
> nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
> ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
>
> caused by a copy-to-user with a too-large "*len" value.
> This adds a argument check on *len just like in the non-compat version
> of the handler.
>
> Before the "Fixes" commit, the reproducer fails with -EINVAL as
> expected:
> 1. core calls the "compat" getsockopt version
> 2. compat getsockopt version detects the *len value is possibly
> in 64-bit layout (*len != compat_len)
> 3. compat getsockopt version delegates everything to native getsockopt
> version
> 4. native getsockopt rejects invalid *len
>
> -> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.
>
> After the refactor, event sequence is:
> 1. getsockopt calls "compat" version (len != native_len)
> 2. compat version attempts to copy *len bytes, where *len is random
> value from userspace
Applied, thanks.
prev parent reply other threads:[~2020-08-14 9:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-07 2:26 WARNING in compat_do_ebt_get_ctl syzbot
2020-08-13 3:45 ` [Bridge] " syzbot
2020-08-13 3:45 ` syzbot
2020-08-13 7:46 ` [PATCH nf] netfilter/ebtables: reject bogus getopt len value Florian Westphal
2020-08-13 15:40 ` Christoph Hellwig
2020-08-13 16:05 ` Jakub Kicinski
2020-08-14 9:59 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200814095943.GC5816@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=hch@lst.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+5accb5c62faa1d346480@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.