From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.15 14/45] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
Date: Fri, 23 Feb 2018 19:28:53 +0100 [thread overview]
Message-ID: <20180223170717.611089900@linuxfoundation.org> (raw)
In-Reply-To: <20180223170715.197760019@linuxfoundation.org>
4.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit da17c73b6eb74aad3c3c0654394635675b623b3e upstream.
It looks like syzbot found its way into netfilter territory.
Issue here is that @name comes from user space and might
not be null terminated.
Out-of-bound reads happen, KASAN is not happy.
v2 added similar fix for xt_request_find_target(),
as Florian advised.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/x_tables.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -209,6 +209,9 @@ xt_request_find_match(uint8_t nfproto, c
{
struct xt_match *match;
+ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return ERR_PTR(-EINVAL);
+
match = xt_find_match(nfproto, name, revision);
if (IS_ERR(match)) {
request_module("%st_%s", xt_prefix[nfproto], name);
@@ -251,6 +254,9 @@ struct xt_target *xt_request_find_target
{
struct xt_target *target;
+ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return ERR_PTR(-EINVAL);
+
target = xt_find_target(af, name, revision);
if (IS_ERR(target)) {
request_module("%st_%s", xt_prefix[af], name);
next prev parent reply other threads:[~2018-02-23 18:28 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 18:28 [PATCH 4.15 00/45] 4.15.6-stable review Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 01/45] tun: fix tun_napi_alloc_frags() frag allocator Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 02/45] ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 03/45] ptr_ring: try vmalloc() when kmalloc() fails Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 04/45] selinux: ensure the context is NUL terminated in security_context_to_sid_core() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 05/45] selinux: skip bounded transition processing if the policy isnt loaded Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 06/45] media: pvrusb2: properly check endpoint types Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 07/45] crypto: x86/twofish-3way - Fix %rbp usage Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 08/45] staging: android: ion: Add __GFP_NOWARN for system contig heap Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 09/45] staging: android: ion: Switch from WARN to pr_warn Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 10/45] blk_rq_map_user_iov: fix error override Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 11/45] KVM: x86: fix escape of guest dr6 to the host Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 12/45] kcov: detect double association with a single task Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 13/45] netfilter: x_tables: fix int overflow in xt_alloc_table_info() Greg Kroah-Hartman
2018-02-23 18:28 ` Greg Kroah-Hartman [this message]
2018-02-23 18:28 ` [PATCH 4.15 15/45] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 16/45] netfilter: on sockopt() acquire sock lock only in the required scope Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 17/45] netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 18/45] netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 19/45] rds: tcp: correctly sequence cleanup on netns deletion Greg Kroah-Hartman
2018-02-23 18:28 ` [PATCH 4.15 20/45] rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 21/45] net: avoid skb_warn_bad_offload on IS_ERR Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 22/45] net_sched: gen_estimator: fix lockdep splat Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 23/45] soc: qcom: rmtfs_mem: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 24/45] ASoC: ux500: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 25/45] video: fbdev/mmp: add MODULE_LICENSE Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 26/45] ARM: 8743/1: bL_switcher: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 27/45] arm64: dts: add #cooling-cells to CPU nodes Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 28/45] dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 29/45] ANDROID: binder: remove WARN() for redundant txn error Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 30/45] ANDROID: binder: synchronize_rcu() when using POLLFREE Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 31/45] staging: android: ashmem: Fix a race condition in pin ioctls Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 32/45] binder: check for binder_thread allocation failure in binder_poll() Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 33/45] binder: replace "%p" with "%pK" Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 34/45] staging: fsl-mc: fix build testing on x86 Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 35/45] staging: iio: adc: ad7192: fix external frequency setting Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 36/45] staging: iio: ad5933: switch buffer mode to software Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 37/45] xhci: Fix NULL pointer in xhci debugfs Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 38/45] xhci: Fix xhci debugfs devices node disappearance after hibernation Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 39/45] xhci: xhci debugfs device nodes werent removed after device plugged out Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 40/45] xhci: fix xhci debugfs errors in xhci_stop Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 41/45] usbip: keep usbip_device sockfd state in sync with tcp_socket Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 42/45] crypto: s5p-sss - Fix kernel Oops in AES-ECB mode Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 43/45] mei: me: add cannon point device ids Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 44/45] mei: me: add cannon point device ids for 4th device Greg Kroah-Hartman
2018-02-23 18:29 ` [PATCH 4.15 45/45] vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems Greg Kroah-Hartman
2018-02-23 23:57 ` [PATCH 4.15 00/45] 4.15.6-stable review kernelci.org bot
2018-02-24 0:38 ` Shuah Khan
2018-02-24 8:26 ` Greg Kroah-Hartman
2018-02-24 17:58 ` Guenter Roeck
2018-02-25 9:59 ` Greg Kroah-Hartman
2018-02-25 3:37 ` Dan Rue
2018-02-25 9:58 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180223170717.611089900@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).