From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Patrick McHardy <kaber@trash.net>,
davem@davemloft.net, Dmitry Mishin <dim@openvz.org>
Subject: [patch 12/32] NETFILTER: Fix {ip, ip6, arp}_tables hook validation
Date: Fri, 08 Dec 2006 15:58:03 -0800 [thread overview]
Message-ID: <20061209000017.750862000@sous-sol.org> (raw)
In-Reply-To: 20061208235751.890503000@sous-sol.org
[-- Attachment #1: netfilter-fix-ip-ip6-arp-_tables-hook-validation.patch --]
[-- Type: text/plain, Size: 10294 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dmitry Mishin <dim@openvz.org>
Commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a regression
in match/target hook validation. mark_source_chains builds a bitmask
for each rule representing the hooks it can be reached from, which is
then used by the matches and targets to make sure they are only called
from valid hooks. The patch moved the match/target specific validation
before the mark_source_chains call, at which point the mask is always zero.
This patch returns back to the old order and moves the standard checks
to mark_source_chains. This allows to get rid of a special case for
standard targets as a nice side-effect.
Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
commit 756c508367e95d6f963502e4feecb8c76aeee332
tree 2be0ffb477e890a713eb48f3993a2f425baf5683
parent 0215ffb08ce99e2bb59eca114a99499a4d06e704
author Dmitry Mishin <dim@openvz.org> Mon, 04 Dec 2006 12:19:27 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 04 Dec 2006 12:19:27 +0100
net/ipv4/netfilter/arp_tables.c | 48 ++++++++++++++--------------
net/ipv4/netfilter/ip_tables.c | 68 ++++++++++++++--------------------------
net/ipv6/netfilter/ip6_tables.c | 59 +++++++++++++---------------------
3 files changed, 72 insertions(+), 103 deletions(-)
--- linux-2.6.19.orig/net/ipv4/netfilter/arp_tables.c
+++ linux-2.6.19/net/ipv4/netfilter/arp_tables.c
@@ -375,6 +375,13 @@ static int mark_source_chains(struct xt_
&& unconditional(&e->arp)) {
unsigned int oldpos, size;
+ if (t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+ return 0;
+ }
+
/* Return: backtrack through the last
* big jump.
*/
@@ -404,6 +411,14 @@ static int mark_source_chains(struct xt_
if (strcmp(t->target.u.user.name,
ARPT_STANDARD_TARGET) == 0
&& newpos >= 0) {
+ if (newpos > newinfo->size -
+ sizeof(struct arpt_entry)) {
+ duprintf("mark_source_chains: "
+ "bad verdict (%i)\n",
+ newpos);
+ return 0;
+ }
+
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
@@ -426,8 +441,6 @@ static int mark_source_chains(struct xt_
static inline int standard_check(const struct arpt_entry_target *t,
unsigned int max_offset)
{
- struct arpt_standard_target *targ = (void *)t;
-
/* Check standard info. */
if (t->u.target_size
!= ARPT_ALIGN(sizeof(struct arpt_standard_target))) {
@@ -437,18 +450,6 @@ static inline int standard_check(const s
return 0;
}
- if (targ->verdict >= 0
- && targ->verdict > max_offset - sizeof(struct arpt_entry)) {
- duprintf("arpt_standard_check: bad verdict (%i)\n",
- targ->verdict);
- return 0;
- }
-
- if (targ->verdict < -NF_MAX_VERDICT - 1) {
- duprintf("arpt_standard_check: bad negative verdict (%i)\n",
- targ->verdict);
- return 0;
- }
return 1;
}
@@ -627,18 +628,20 @@ static int translate_table(const char *n
}
}
+ if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
+ duprintf("Looping hook\n");
+ return -ELOOP;
+ }
+
/* Finally, each sanity check must pass */
i = 0;
ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
check_entry, name, size, &i);
- if (ret != 0)
- goto cleanup;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
- duprintf("Looping hook\n");
- goto cleanup;
+ if (ret != 0) {
+ ARPT_ENTRY_ITERATE(entry0, newinfo->size,
+ cleanup_entry, &i);
+ return ret;
}
/* And one copy for every other CPU */
@@ -647,9 +650,6 @@ static int translate_table(const char *n
memcpy(newinfo->entries[i], entry0, newinfo->size);
}
- return 0;
-cleanup:
- ARPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
return ret;
}
--- linux-2.6.19.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.19/net/ipv4/netfilter/ip_tables.c
@@ -401,6 +401,13 @@ mark_source_chains(struct xt_table_info
&& unconditional(&e->ip)) {
unsigned int oldpos, size;
+ if (t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+ return 0;
+ }
+
/* Return: backtrack through the last
big jump. */
do {
@@ -438,6 +445,13 @@ mark_source_chains(struct xt_table_info
if (strcmp(t->target.u.user.name,
IPT_STANDARD_TARGET) == 0
&& newpos >= 0) {
+ if (newpos > newinfo->size -
+ sizeof(struct ipt_entry)) {
+ duprintf("mark_source_chains: "
+ "bad verdict (%i)\n",
+ newpos);
+ return 0;
+ }
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
@@ -470,27 +484,6 @@ cleanup_match(struct ipt_entry_match *m,
}
static inline int
-standard_check(const struct ipt_entry_target *t,
- unsigned int max_offset)
-{
- struct ipt_standard_target *targ = (void *)t;
-
- /* Check standard info. */
- if (targ->verdict >= 0
- && targ->verdict > max_offset - sizeof(struct ipt_entry)) {
- duprintf("ipt_standard_check: bad verdict (%i)\n",
- targ->verdict);
- return 0;
- }
- if (targ->verdict < -NF_MAX_VERDICT - 1) {
- duprintf("ipt_standard_check: bad negative verdict (%i)\n",
- targ->verdict);
- return 0;
- }
- return 1;
-}
-
-static inline int
check_match(struct ipt_entry_match *m,
const char *name,
const struct ipt_ip *ip,
@@ -576,12 +569,7 @@ check_entry(struct ipt_entry *e, const c
if (ret)
goto err;
- if (t->u.kernel.target == &ipt_standard_target) {
- if (!standard_check(t, size)) {
- ret = -EINVAL;
- goto err;
- }
- } else if (t->u.kernel.target->checkentry
+ if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n",
@@ -718,17 +706,19 @@ translate_table(const char *name,
}
}
+ if (!mark_source_chains(newinfo, valid_hooks, entry0))
+ return -ELOOP;
+
/* Finally, each sanity check must pass */
i = 0;
ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
check_entry, name, size, &i);
- if (ret != 0)
- goto cleanup;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry0))
- goto cleanup;
+ if (ret != 0) {
+ IPT_ENTRY_ITERATE(entry0, newinfo->size,
+ cleanup_entry, &i);
+ return ret;
+ }
/* And one copy for every other CPU */
for_each_possible_cpu(i) {
@@ -736,9 +726,6 @@ translate_table(const char *name,
memcpy(newinfo->entries[i], entry0, newinfo->size);
}
- return 0;
-cleanup:
- IPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
return ret;
}
@@ -1591,18 +1578,13 @@ static int compat_copy_entry_from_user(s
if (ret)
goto err;
- ret = -EINVAL;
- if (t->u.kernel.target == &ipt_standard_target) {
- if (!standard_check(t, *size))
- goto err;
- } else if (t->u.kernel.target->checkentry
+ if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, de, target,
t->data, de->comefrom)) {
duprintf("ip_tables: compat: check failed for `%s'.\n",
t->u.kernel.target->name);
- goto err;
+ ret = -EINVAL;
}
- ret = 0;
err:
return ret;
}
--- linux-2.6.19.orig/net/ipv6/netfilter/ip6_tables.c
+++ linux-2.6.19/net/ipv6/netfilter/ip6_tables.c
@@ -440,6 +440,13 @@ mark_source_chains(struct xt_table_info
&& unconditional(&e->ipv6)) {
unsigned int oldpos, size;
+ if (t->verdict < -NF_MAX_VERDICT - 1) {
+ duprintf("mark_source_chains: bad "
+ "negative verdict (%i)\n",
+ t->verdict);
+ return 0;
+ }
+
/* Return: backtrack through the last
big jump. */
do {
@@ -477,6 +484,13 @@ mark_source_chains(struct xt_table_info
if (strcmp(t->target.u.user.name,
IP6T_STANDARD_TARGET) == 0
&& newpos >= 0) {
+ if (newpos > newinfo->size -
+ sizeof(struct ip6t_entry)) {
+ duprintf("mark_source_chains: "
+ "bad verdict (%i)\n",
+ newpos);
+ return 0;
+ }
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
@@ -509,27 +523,6 @@ cleanup_match(struct ip6t_entry_match *m
}
static inline int
-standard_check(const struct ip6t_entry_target *t,
- unsigned int max_offset)
-{
- struct ip6t_standard_target *targ = (void *)t;
-
- /* Check standard info. */
- if (targ->verdict >= 0
- && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
- duprintf("ip6t_standard_check: bad verdict (%i)\n",
- targ->verdict);
- return 0;
- }
- if (targ->verdict < -NF_MAX_VERDICT - 1) {
- duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
- targ->verdict);
- return 0;
- }
- return 1;
-}
-
-static inline int
check_match(struct ip6t_entry_match *m,
const char *name,
const struct ip6t_ip6 *ipv6,
@@ -616,12 +609,7 @@ check_entry(struct ip6t_entry *e, const
if (ret)
goto err;
- if (t->u.kernel.target == &ip6t_standard_target) {
- if (!standard_check(t, size)) {
- ret = -EINVAL;
- goto err;
- }
- } else if (t->u.kernel.target->checkentry
+ if (t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
e->comefrom)) {
duprintf("ip_tables: check failed for `%s'.\n",
@@ -758,17 +746,19 @@ translate_table(const char *name,
}
}
+ if (!mark_source_chains(newinfo, valid_hooks, entry0))
+ return -ELOOP;
+
/* Finally, each sanity check must pass */
i = 0;
ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
check_entry, name, size, &i);
- if (ret != 0)
- goto cleanup;
-
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry0))
- goto cleanup;
+ if (ret != 0) {
+ IP6T_ENTRY_ITERATE(entry0, newinfo->size,
+ cleanup_entry, &i);
+ return ret;
+ }
/* And one copy for every other CPU */
for_each_possible_cpu(i) {
@@ -777,9 +767,6 @@ translate_table(const char *name,
}
return 0;
-cleanup:
- IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
- return ret;
}
/* Gets counters. */
--
next prev parent reply other threads:[~2006-12-08 23:58 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-08 23:57 [patch 00/32] -stable review Chris Wright
2006-12-08 23:57 ` [patch 01/32] IPV6 NDISC: Calculate packet length correctly for allocation Chris Wright
2006-12-08 23:57 ` [patch 02/32] softmac: remove netif_tx_disable when scanning Chris Wright
2006-12-08 23:57 ` [patch 03/32] EBTABLES: Fix wraparounds in ebt_entries verification Chris Wright
2006-12-08 23:57 ` [patch 04/32] EBTABLES: Verify that ebt_entries have zero ->distinguisher Chris Wright
2006-12-08 23:57 ` [patch 05/32] EBTABLES: Deal with the worst-case behaviour in loop checks Chris Wright
2006-12-08 23:57 ` [patch 06/32] EBTABLES: Prevent wraparounds in checks for entry components sizes Chris Wright
2006-12-08 23:57 ` [patch 07/32] NET_SCHED: policer: restore compatibility with old iproute binaries Chris Wright
2006-12-08 23:57 ` [patch 08/32] cryptoloop: Select CRYPTO_CBC Chris Wright
2006-12-09 6:32 ` Rene Herman
2006-12-09 22:50 ` Herbert Xu
2006-12-08 23:58 ` [patch 09/32] Revert "ACPI: SCI interrupt source override" Chris Wright
2006-12-08 23:58 ` [patch 10/32] PKT_SCHED act_gact: division by zero Chris Wright
2006-12-08 23:58 ` [patch 11/32] SUNHME: Fix for sunhme failures on x86 Chris Wright
2006-12-08 23:58 ` Chris Wright [this message]
2006-12-08 23:58 ` [patch 13/32] NETFILTER: Fix iptables compat hook validation Chris Wright
2006-12-08 23:58 ` [patch 14/32] NETFILTER: bridge netfilter: deal with martians correctly Chris Wright
2006-12-08 23:58 ` [patch 15/32] softmac: fix unbalanced mutex_lock/unlock in ieee80211softmac_wx_set_mlme Chris Wright
2006-12-08 23:58 ` [patch 16/32] IB/ucm: Fix deadlock in cleanup Chris Wright
2006-12-08 23:58 ` [patch 17/32] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304) Chris Wright
2006-12-08 23:58 ` [patch 18/32] TOKENRING: Remote memory corruptor in ibmtr.c Chris Wright
2006-12-08 23:58 ` [patch 19/32] XFRM: Use output device disable_xfrm for forwarded packets Chris Wright
2006-12-08 23:58 ` [patch 20/32] USB: Fix oops in PhidgetServo Chris Wright
2006-12-08 23:58 ` [patch 21/32] IPSEC: Fix inetpeer leak in ipv4 xfrm dst entries Chris Wright
2006-12-08 23:58 ` [patch 22/32] IrDA: Incorrect TTP header reservation Chris Wright
2006-12-08 23:58 ` [patch 23/32] NETLINK: Restore API compatibility of address and neighbour bits Chris Wright
2006-12-08 23:58 ` [patch 24/32] add bottom_half.h Chris Wright
2006-12-09 13:50 ` Thomas Backlund
2006-12-08 23:58 ` [patch 25/32] drm-sis linkage fix Chris Wright
2006-12-08 23:58 ` [patch 26/32] compat: skip data conversion in compat_sys_mount when data_page is NULL Chris Wright
2006-12-08 23:58 ` [patch 27/32] PM: Fix swsusp debug mode testproc Chris Wright
2006-12-08 23:58 ` [patch 28/32] autofs: fix error code path in autofs_fill_sb() Chris Wright
2006-12-09 3:48 ` Ian Kent
2006-12-09 18:58 ` Chris Wright
2006-12-08 23:58 ` [patch 29/32] softirq: remove BUG_ONs which can incorrectly trigger Chris Wright
2006-12-08 23:58 ` [patch 30/32] m32r: make userspace headers platform-independent Chris Wright
2006-12-08 23:58 ` [patch 31/32] x86_64: fix boot hang due to nmi watchdog init code Chris Wright
2006-12-11 18:33 ` [stable] " Chris Wright
2006-12-08 23:58 ` [patch 32/32] forcedeth: Disable INTx when enabling MSI in forcedeth Chris Wright
2006-12-09 0:38 ` [stable] [patch 00/32] -stable review Chris Wright
2006-12-09 1:36 ` [patch 33/32] NETLINK: Put {IFA,IFLA}_{RTA,PAYLOAD} macros back for userspace Chris Wright
2006-12-09 11:26 ` [patch 00/32] -stable review Stefan Lippers-Hollmann
2006-12-09 21:42 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061209000017.750862000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=dim@openvz.org \
--cc=jmforbes@linuxtx.org \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox