[PATCH 5.4 13/18] netfilter: x_tables: fix compat match/target pad out-of-bound write

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com,
	Andy Nguyen <theflow@google.com>, Florian Westphal <fw@strlen.de>,
	Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 5.4 13/18] netfilter: x_tables: fix compat match/target pad out-of-bound write
Date: Thu, 15 Apr 2021 16:48:06 +0200	[thread overview]
Message-ID: <20210415144413.468212358@linuxfoundation.org> (raw)
In-Reply-To: <20210415144413.055232956@linuxfoundation.org>

From: Florian Westphal <fw@strlen.de>

commit b29c457a6511435960115c0f548c4360d5f4801d upstream.

xt_compat_match/target_from_user doesn't check that zeroing the area
to start of next rule won't write past end of allocated ruleset blob.

Remove this code and zero the entire blob beforehand.

Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
Reported-by: Andy Nguyen <theflow@google.com>
Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/netfilter/arp_tables.c |    2 ++
 net/ipv4/netfilter/ip_tables.c  |    2 ++
 net/ipv6/netfilter/ip6_tables.c |    2 ++
 net/netfilter/x_tables.c        |   10 ++--------
 4 files changed, 8 insertions(+), 8 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1196,6 +1196,8 @@ static int translate_compat_table(struct
 	if (!newinfo)
 		goto out_unlock;
 
+	memset(newinfo->entries, 0, size);
+
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1430,6 +1430,8 @@ translate_compat_table(struct net *net,
 	if (!newinfo)
 		goto out_unlock;
 
+	memset(newinfo->entries, 0, size);
+
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1445,6 +1445,8 @@ translate_compat_table(struct net *net,
 	if (!newinfo)
 		goto out_unlock;
 
+	memset(newinfo->entries, 0, size);
+
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -733,7 +733,7 @@ void xt_compat_match_from_user(struct xt
 {
 	const struct xt_match *match = m->u.kernel.match;
 	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
-	int pad, off = xt_compat_match_offset(match);
+	int off = xt_compat_match_offset(match);
 	u_int16_t msize = cm->u.user.match_size;
 	char name[sizeof(m->u.user.name)];
 
@@ -743,9 +743,6 @@ void xt_compat_match_from_user(struct xt
 		match->compat_from_user(m->data, cm->data);
 	else
 		memcpy(m->data, cm->data, msize - sizeof(*cm));
-	pad = XT_ALIGN(match->matchsize) - match->matchsize;
-	if (pad > 0)
-		memset(m->data + match->matchsize, 0, pad);
 
 	msize += off;
 	m->u.user.match_size = msize;
@@ -1116,7 +1113,7 @@ void xt_compat_target_from_user(struct x
 {
 	const struct xt_target *target = t->u.kernel.target;
 	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
-	int pad, off = xt_compat_target_offset(target);
+	int off = xt_compat_target_offset(target);
 	u_int16_t tsize = ct->u.user.target_size;
 	char name[sizeof(t->u.user.name)];
 
@@ -1126,9 +1123,6 @@ void xt_compat_target_from_user(struct x
 		target->compat_from_user(t->data, ct->data);
 	else
 		memcpy(t->data, ct->data, tsize - sizeof(*ct));
-	pad = XT_ALIGN(target->targetsize) - target->targetsize;
-	if (pad > 0)
-		memset(t->data + target->targetsize, 0, pad);
 
 	tsize += off;
 	t->u.user.target_size = tsize;

next prev parent reply	other threads:[~2021-04-15 15:10 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-15 14:47 [PATCH 5.4 00/18] 5.4.113-rc1 review Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 5.4 01/18] interconnect: core: fix error return code of icc_link_destroy() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 5.4 02/18] KVM: arm64: Hide system instruction access to Trace registers Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 5.4 03/18] KVM: arm64: Disable guest access to trace filter controls Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 5.4 04/18] drm/imx: imx-ldb: fix out of bounds array access warning Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 5.4 05/18] gfs2: report "already frozen/thawed" errors Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 5.4 06/18] drm/tegra: dc: Dont set PLL clock to 0Hz Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 07/18] block: only update parent bi_status when bio fail Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 08/18] radix tree test suite: Register the main thread with the RCU library Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 09/18] idr test suite: Take RCU read lock in idr_find_test_1 Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 10/18] idr test suite: Create anchor before launching throbber Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 11/18] riscv,entry: fix misaligned base for excp_vect_table Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 12/18] block: dont ignore REQ_NOWAIT for direct IO Greg Kroah-Hartman
2021-04-15 14:48 ` Greg Kroah-Hartman [this message]
2021-04-15 14:48 ` [PATCH 5.4 14/18] driver core: Fix locking bug in deferred_probe_timeout_work_func() Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 15/18] perf tools: Use %define api.pure full instead of %pure-parser Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 16/18] perf tools: Use %zd for size_t printf formats on 32-bit Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 17/18] perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches Greg Kroah-Hartman
2021-04-15 14:48 ` [PATCH 5.4 18/18] xen/events: fix setting irq affinity Greg Kroah-Hartman
2021-04-15 22:43 ` [PATCH 5.4 00/18] 5.4.113-rc1 review Shuah Khan
2021-04-16  0:45 ` Florian Fainelli
2021-04-16  3:40 ` Samuel Zou
2021-04-16  9:21 ` Jon Hunter
2021-04-16  9:43 ` Naresh Kamboju
2021-04-16 20:04 ` Sudip Mukherjee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210415144413.468212358@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=fw@strlen.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com \
    --cc=theflow@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.