From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 18/45] netfilter: complete validation of user input
Date: Mon, 15 Apr 2024 16:21:25 +0200 [thread overview]
Message-ID: <20240415141942.792039769@linuxfoundation.org> (raw)
In-Reply-To: <20240415141942.235939111@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]
In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.
In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:
if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
return -EINVAL;
Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 4 ++++
net/ipv4/netfilter/ip_tables.c | 4 ++++
net/ipv6/netfilter/ip6_tables.c | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 07ecb16231cd0..a9d5a1973224a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -965,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
return -ENOMEM;
if (tmp.num_counters == 0)
return -EINVAL;
+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
+ return -EINVAL;
tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1265,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
return -ENOMEM;
if (tmp.num_counters == 0)
return -EINVAL;
+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
+ return -EINVAL;
tmp.name[sizeof(tmp.name)-1] = 0;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 1e1e7488d6bf1..aee7cd584c926 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1119,6 +1119,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
return -ENOMEM;
if (tmp.num_counters == 0)
return -EINVAL;
+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
+ return -EINVAL;
tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1505,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
return -ENOMEM;
if (tmp.num_counters == 0)
return -EINVAL;
+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
+ return -EINVAL;
tmp.name[sizeof(tmp.name)-1] = 0;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index b17990d514ee9..afd22ea9f555b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1137,6 +1137,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
return -ENOMEM;
if (tmp.num_counters == 0)
return -EINVAL;
+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
+ return -EINVAL;
tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1515,6 +1517,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
return -ENOMEM;
if (tmp.num_counters == 0)
return -EINVAL;
+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
+ return -EINVAL;
tmp.name[sizeof(tmp.name)-1] = 0;
--
2.43.0
next prev parent reply other threads:[~2024-04-15 14:42 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 14:21 [PATCH 5.15 00/45] 5.15.156-rc1 review Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 01/45] batman-adv: Avoid infinite loop trying to resize local TT Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 02/45] ring-buffer: Only update pages_touched when a new page is touched Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 03/45] Bluetooth: Fix memory leak in hci_req_sync_complete() Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 04/45] media: cec: core: remove length check of Timer Status Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 05/45] arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 06/45] Revert "drm/qxl: simplify qxl_fence_wait" Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 07/45] nouveau: fix function cast warning Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 08/45] scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 09/45] net: openvswitch: fix unwanted error log on timeout policy probing Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 10/45] u64_stats: Disable preemption on 32bit UP+SMP PREEMPT_RT during updates Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 11/45] xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 12/45] geneve: fix header validation in geneve[6]_xmit_skb Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 13/45] af_unix: Clear stale u->oob_skb Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 14/45] octeontx2-af: Fix NIX SQ mode and BP config Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 15/45] ipv6: fib: hide unused pn variable Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 16/45] ipv4/route: avoid unused-but-set-variable warning Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 17/45] ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Greg Kroah-Hartman
2024-04-15 14:21 ` Greg Kroah-Hartman [this message]
2024-04-15 14:21 ` [PATCH 5.15 19/45] net/mlx5: Properly link new fs rules into the tree Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 20/45] net: sparx5: fix wrong config being used when reconfiguring PCS Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 21/45] net: dsa: mt7530: trap link-local frames regardless of ST Port State Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 22/45] af_unix: Do not use atomic ops for unix_sk(sk)->inflight Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 23/45] af_unix: Fix garbage collector racing against connect() Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 24/45] net: ena: Fix potential sign extension issue Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 25/45] net: ena: Wrong missing IO completions check order Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 26/45] net: ena: Fix incorrect descriptor free behavior Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 27/45] tracing: hide unused ftrace_event_id_fops Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 28/45] iommu/vt-d: Allocate local memory for page request queue Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 29/45] btrfs: qgroup: correctly model root qgroup rsv in convert Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 30/45] drm/client: Fully protect modes[] with dev->mode_config.mutex Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 31/45] vhost: Add smp_rmb() in vhost_vq_avail_empty() Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 32/45] perf/x86: Fix out of range data Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 33/45] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 34/45] selftests: timers: Fix abs() warning in posix_timers test Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 35/45] x86/apic: Force native_apic_mem_read() to use the MOV instruction Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 36/45] irqflags: Explicitly ignore lockdep_hrtimer_exit() argument Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 37/45] x86/bugs: Fix return type of spectre_bhi_state() Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 38/45] x86/bugs: Fix BHI documentation Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 39/45] x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 40/45] x86/bugs: Rename various ia32_cap variables to x86_arch_cap_msr Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 41/45] x86/bugs: Fix BHI handling of RRSBA Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 42/45] x86/bugs: Clarify that syscall hardening isnt a BHI mitigation Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 43/45] x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 44/45] x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI Greg Kroah-Hartman
2024-04-15 14:21 ` [PATCH 5.15 45/45] drm/i915/cdclk: Fix CDCLK programming order when pipes are active Greg Kroah-Hartman
2024-04-15 16:47 ` [PATCH 5.15 00/45] 5.15.156-rc1 review Florian Fainelli
2024-04-15 23:53 ` Kelsey Steele
2024-04-16 0:20 ` Mark Brown
2024-04-16 6:45 ` Ron Economos
2024-04-16 7:45 ` Harshit Mogalapalli
2024-04-16 10:37 ` Jon Hunter
2024-04-16 14:30 ` Pascal Ernster
2024-04-16 14:46 ` Greg Kroah-Hartman
2024-04-17 7:12 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240415141942.792039769@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=pablo@netfilter.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.