[PATCH 4.4 61/75] netfilter: x_tables: validate e->target_offset early

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Florian Westphal <fw@strlen.de>,
	Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.4 61/75] netfilter: x_tables: validate e->target_offset early
Date: Wed, 22 Jun 2016 15:41:23 -0700	[thread overview]
Message-ID: <20160622223503.063310159@linuxfoundation.org> (raw)
In-Reply-To: <20160622223500.055133765@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit bdf533de6968e9686df777dc178486f600c6e617 upstream.

We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/netfilter/arp_tables.c |   17 ++++++++---------
 net/ipv4/netfilter/ip_tables.c  |   17 ++++++++---------
 net/ipv6/netfilter/ip6_tables.c |   17 ++++++++---------
 3 files changed, 24 insertions(+), 27 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -474,14 +474,12 @@ next:
 	return 1;
 }
 
-static inline int check_entry(const struct arpt_entry *e, const char *name)
+static inline int check_entry(const struct arpt_entry *e)
 {
 	const struct xt_entry_target *t;
 
-	if (!arp_checkentry(&e->arp)) {
-		duprintf("arp_tables: arp check failed %p %s.\n", e, name);
+	if (!arp_checkentry(&e->arp))
 		return -EINVAL;
-	}
 
 	if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
 		return -EINVAL;
@@ -522,10 +520,6 @@ find_check_entry(struct arpt_entry *e, c
 	struct xt_target *target;
 	int ret;
 
-	ret = check_entry(e, name);
-	if (ret)
-		return ret;
-
 	e->counters.pcnt = xt_percpu_counter_alloc();
 	if (IS_ERR_VALUE(e->counters.pcnt))
 		return -ENOMEM;
@@ -576,6 +570,7 @@ static inline int check_entry_size_and_h
 					     unsigned int valid_hooks)
 {
 	unsigned int h;
+	int err;
 
 	if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
 	    (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
@@ -590,6 +585,10 @@ static inline int check_entry_size_and_h
 		return -EINVAL;
 	}
 
+	err = check_entry(e);
+	if (err)
+		return err;
+
 	/* Check hooks & underflows */
 	for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
 		if (!(valid_hooks & (1 << h)))
@@ -1246,7 +1245,7 @@ check_compat_entry_size_and_hooks(struct
 	}
 
 	/* For purposes of check_entry casting the compat entry is fine */
-	ret = check_entry((struct arpt_entry *)e, name);
+	ret = check_entry((struct arpt_entry *)e);
 	if (ret)
 		return ret;
 
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -569,14 +569,12 @@ static void cleanup_match(struct xt_entr
 }
 
 static int
-check_entry(const struct ipt_entry *e, const char *name)
+check_entry(const struct ipt_entry *e)
 {
 	const struct xt_entry_target *t;
 
-	if (!ip_checkentry(&e->ip)) {
-		duprintf("ip check failed %p %s.\n", e, name);
+	if (!ip_checkentry(&e->ip))
 		return -EINVAL;
-	}
 
 	if (e->target_offset + sizeof(struct xt_entry_target) >
 	    e->next_offset)
@@ -666,10 +664,6 @@ find_check_entry(struct ipt_entry *e, st
 	struct xt_mtchk_param mtpar;
 	struct xt_entry_match *ematch;
 
-	ret = check_entry(e, name);
-	if (ret)
-		return ret;
-
 	e->counters.pcnt = xt_percpu_counter_alloc();
 	if (IS_ERR_VALUE(e->counters.pcnt))
 		return -ENOMEM;
@@ -741,6 +735,7 @@ check_entry_size_and_hooks(struct ipt_en
 			   unsigned int valid_hooks)
 {
 	unsigned int h;
+	int err;
 
 	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
 	    (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
@@ -755,6 +750,10 @@ check_entry_size_and_hooks(struct ipt_en
 		return -EINVAL;
 	}
 
+	err = check_entry(e);
+	if (err)
+		return err;
+
 	/* Check hooks & underflows */
 	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
 		if (!(valid_hooks & (1 << h)))
@@ -1506,7 +1505,7 @@ check_compat_entry_size_and_hooks(struct
 	}
 
 	/* For purposes of check_entry casting the compat entry is fine */
-	ret = check_entry((struct ipt_entry *)e, name);
+	ret = check_entry((struct ipt_entry *)e);
 	if (ret)
 		return ret;
 
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -581,14 +581,12 @@ static void cleanup_match(struct xt_entr
 }
 
 static int
-check_entry(const struct ip6t_entry *e, const char *name)
+check_entry(const struct ip6t_entry *e)
 {
 	const struct xt_entry_target *t;
 
-	if (!ip6_checkentry(&e->ipv6)) {
-		duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+	if (!ip6_checkentry(&e->ipv6))
 		return -EINVAL;
-	}
 
 	if (e->target_offset + sizeof(struct xt_entry_target) >
 	    e->next_offset)
@@ -679,10 +677,6 @@ find_check_entry(struct ip6t_entry *e, s
 	struct xt_mtchk_param mtpar;
 	struct xt_entry_match *ematch;
 
-	ret = check_entry(e, name);
-	if (ret)
-		return ret;
-
 	e->counters.pcnt = xt_percpu_counter_alloc();
 	if (IS_ERR_VALUE(e->counters.pcnt))
 		return -ENOMEM;
@@ -753,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_e
 			   unsigned int valid_hooks)
 {
 	unsigned int h;
+	int err;
 
 	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
 	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
@@ -767,6 +762,10 @@ check_entry_size_and_hooks(struct ip6t_e
 		return -EINVAL;
 	}
 
+	err = check_entry(e);
+	if (err)
+		return err;
+
 	/* Check hooks & underflows */
 	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
 		if (!(valid_hooks & (1 << h)))
@@ -1518,7 +1517,7 @@ check_compat_entry_size_and_hooks(struct
 	}
 
 	/* For purposes of check_entry casting the compat entry is fine */
-	ret = check_entry((struct ip6t_entry *)e, name);
+	ret = check_entry((struct ip6t_entry *)e);
 	if (ret)
 		return ret;

next prev parent reply	other threads:[~2016-06-22 23:12 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-22 22:40 [PATCH 4.4 00/75] 4.4.14-stable review Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 01/75] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 02/75] scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 03/75] tipc: check nl sock before parsing nested attributes Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 04/75] netlink: Fix dump skb leak/double free Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 05/75] tipc: fix nametable publication field in nl compat Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 06/75] switchdev: pass pointer to fib_info instead of copy Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 07/75] tuntap: correctly wake up process during uninit Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 08/75] bpf: Use mount_nodev not mount_ns to mount the bpf filesystem Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 09/75] udp: prevent skbs lingering in tunnel socket queues Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 10/75] uapi glibc compat: fix compilation when !__USE_MISC in glibc Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 11/75] bpf, inode: disallow userns mounts Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 12/75] sfc: on MC reset, clear PIO buffer linkage in TXQs Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 13/75] team: dont call netdev_change_features under team->lock Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 14/75] vxlan: Accept user specified MTU value when create new vxlan link Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 15/75] tcp: record TLP and ER timer stats in v6 stats Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 16/75] bridge: Dont insert unnecessary local fdb entry on changing mac address Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 17/75] l2tp: fix configuration passed to setup_udp_tunnel_sock() Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 18/75] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 19/75] vxlan: Relax MTU constraints Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 20/75] geneve: " Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 21/75] vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 24/75] ALSA: hda - Add PCI ID for Kabylake Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 25/75] ALSA: hda - Fix headset mic detection problem for Dell machine Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 26/75] ALSA: hda/realtek - ALC256 speaker noise issue Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 27/75] ALSA: hda/realtek - Add support for new codecs ALC700/ALC701/ALC703 Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 28/75] ALSA: hda/realtek: Add T560 docking unit fixup Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 29/75] ARM: fix PTRACE_SETVFPREGS on SMP systems Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 30/75] gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 31/75] s390/bpf: fix recache skb->data/hlen for skb_vlan_push/pop Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 32/75] s390/bpf: reduce maximum program size to 64 KB Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 33/75] irqchip/gic-v3: Fix ICC_SGI1R_EL1.INTID decoding mask Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 34/75] crypto: public_key: select CRYPTO_AKCIPHER Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 35/75] crypto: ccp - Fix AES XTS error for request sizes above 4096 Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 36/75] arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks Greg Kroah-Hartman
2016-06-22 22:40 ` [PATCH 4.4 37/75] arm64: mm: always take dirty state from new pte in ptep_set_access_flags Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 38/75] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 39/75] powerpc: Fix definition of SIAR and SDAR registers Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 40/75] powerpc: Use privileged SPR number for MMCR2 Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 41/75] powerpc/pseries: Add POWER8NVL support to ibm,client-architecture-support call Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 42/75] pinctrl: mediatek: fix dual-edge code defect Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 43/75] parisc: Fix pagefault crash in unaligned __get_user() call Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 44/75] memcg: add RCU locking around css_for_each_descendant_pre() in memcg_offline_kmem() Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 45/75] ecryptfs: forbid opening files without mmap handler Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 46/75] wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 47/75] x86/entry/traps: Dont force in_interrupt() to return true in IST handlers Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 48/75] proc: prevent stacking filesystems on top Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 49/75] sched: panic on corrupted stack end Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 50/75] fix d_walk()/non-delayed __d_free() race Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 51/75] sparc: Fix system call tracing register handling Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 52/75] sparc64: Fix bootup regressions on some Kconfig combinations Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 53/75] sparc64: Fix numa node distance initialization Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 54/75] sparc64: Fix sparc64_set_context stack handling Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 55/75] sparc/PCI: Fix for panic while enabling SR-IOV Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 56/75] sparc64: Reduce TLB flushes during hugepte changes Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 57/75] sparc64: Take ctx_alloc_lock properly in hugetlb_setup() Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 58/75] sparc: Harden signal return frame checks Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 59/75] sparc64: Fix return from trap window fill crashes Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 60/75] MIPS: Fix 64k page support for 32 bit kernels Greg Kroah-Hartman
2016-06-22 22:41 ` Greg Kroah-Hartman [this message]
2016-06-22 22:41 ` [PATCH 4.4 62/75] netfilter: x_tables: make sure e->next_offset covers remaining blob size Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 63/75] netfilter: x_tables: fix unconditional helper Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 64/75] crypto: qat - fix adf_ctl_drv.c:undefined reference to adf_init_pf_wq Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 65/75] drm/core: Do not preserve framebuffer on rmfb, v4 Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 66/75] netfilter: x_tables: dont move to non-existent next rule Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 67/75] netfilter: x_tables: validate targets of jumps Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 68/75] netfilter: x_tables: add and use xt_check_entry_offsets Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 69/75] netfilter: x_tables: kill check_entry helper Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 70/75] netfilter: x_tables: assert minimum target size Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 71/75] netfilter: x_tables: add compat version of xt_check_entry_offsets Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 72/75] netfilter: x_tables: check standard target size too Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 73/75] netfilter: x_tables: check for bogus target offset Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 74/75] netfilter: x_tables: validate all offsets and sizes in a rule Greg Kroah-Hartman
2016-06-22 22:41 ` [PATCH 4.4 75/75] netfilter: x_tables: dont reject valid target size on some architectures Greg Kroah-Hartman
2016-06-23  4:54 ` [PATCH 4.4 00/75] 4.4.14-stable review -rc2 Greg Kroah-Hartman
2016-06-23 19:43   ` Guenter Roeck
2016-06-23 21:53   ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160622223503.063310159@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=fw@strlen.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox