[PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt
@ 2024-11-13 13:02 Jeongjun Park
  2024-11-14 11:10 ` Paolo Abeni
  2024-11-14 11:45 ` Jozsef Kadlecsik
  0 siblings, 2 replies; 6+ messages in thread
From: Jeongjun Park @ 2024-11-13 13:02 UTC (permalink / raw)
  To: pablo, kadlec
  Cc: davem, edumazet, kuba, pabeni, horms, kaber, netfilter-devel,
	coreteam, netdev, linux-kernel, stable,
	syzbot+58c872f7790a4d2ac951, Jeongjun Park

When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index e4fa00abde6a..5988b9bb9029 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
-		if (ip > ip_to) {
+		if (ip > ip_to)
 			swap(ip, ip_to);
-			if (ip < map->first_ip)
-				return -IPSET_ERR_BITMAP_RANGE;
-		}
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 
@@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ip_to = ip;
 	}
 
-	if (ip_to > map->last_ip)
+	if (ip < map->first_ip || ip_to > map->last_ip)
 		return -IPSET_ERR_BITMAP_RANGE;
 
 	for (; !before(ip_to, ip); ip += map->hosts) {
--

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt
  2024-11-13 13:02 [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt Jeongjun Park
@ 2024-11-14 11:10 ` Paolo Abeni
  2024-11-14 11:29   ` Pablo Neira Ayuso
  2024-11-14 11:45 ` Jozsef Kadlecsik
  1 sibling, 1 reply; 6+ messages in thread
From: Paolo Abeni @ 2024-11-14 11:10 UTC (permalink / raw)
  To: Jeongjun Park, pablo, kadlec
  Cc: davem, edumazet, kuba, horms, kaber, netfilter-devel, coreteam,
	netdev, linux-kernel, stable, syzbot+58c872f7790a4d2ac951

On 11/13/24 14:02, Jeongjun Park wrote:
> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> the values of ip and ip_to are slightly swapped. Therefore, the range check
> for ip should be done later, but this part is missing and it seems that the
> vulnerability occurs.
> 
> So we should add missing range checks and remove unnecessary range checks.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

@Pablo, @Jozsef: despite the subj prefix, I guess this should go via
your tree. Please LMK if you prefer otherwise.

Cheers,

Paolo


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt
  2024-11-14 11:10 ` Paolo Abeni
@ 2024-11-14 11:29   ` Pablo Neira Ayuso
  2024-11-14 11:46     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-14 11:29 UTC (permalink / raw)
  To: Paolo Abeni
  Cc: Jeongjun Park, kadlec, davem, edumazet, kuba, horms, kaber,
	netfilter-devel, coreteam, netdev, linux-kernel, stable,
	syzbot+58c872f7790a4d2ac951

On Thu, Nov 14, 2024 at 12:10:05PM +0100, Paolo Abeni wrote:
> On 11/13/24 14:02, Jeongjun Park wrote:
> > When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> > the values of ip and ip_to are slightly swapped. Therefore, the range check
> > for ip should be done later, but this part is missing and it seems that the
> > vulnerability occurs.
> > 
> > So we should add missing range checks and remove unnecessary range checks.
> > 
> > Cc: <stable@vger.kernel.org>
> > Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> 
> @Pablo, @Jozsef: despite the subj prefix, I guess this should go via
> your tree. Please LMK if you prefer otherwise.

Thanks Paolo.

Patch LGTM. I am waiting for Jozsef to acknowledge this fix.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt
  2024-11-13 13:02 [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt Jeongjun Park
  2024-11-14 11:10 ` Paolo Abeni
@ 2024-11-14 11:45 ` Jozsef Kadlecsik
  1 sibling, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2024-11-14 11:45 UTC (permalink / raw)
  To: Jeongjun Park
  Cc: Pablo Neira Ayuso, David Miller, edumazet, kuba, pabeni, horms,
	Patrick McHardy, netfilter-devel, coreteam, netdev, linux-kernel,
	stable, syzbot+58c872f7790a4d2ac951

On Wed, 13 Nov 2024, Jeongjun Park wrote:

> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> the values of ip and ip_to are slightly swapped. Therefore, the range check
> for ip should be done later, but this part is missing and it seems that the
> vulnerability occurs.
> 
> So we should add missing range checks and remove unnecessary range checks.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>

The patch should be applied to the stable branches too. Thanks!

Best regards,
Jozsef

> ---
>  net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
> index e4fa00abde6a..5988b9bb9029 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ip.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
> @@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
>  		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
>  		if (ret)
>  			return ret;
> -		if (ip > ip_to) {
> +		if (ip > ip_to)
>  			swap(ip, ip_to);
> -			if (ip < map->first_ip)
> -				return -IPSET_ERR_BITMAP_RANGE;
> -		}
>  	} else if (tb[IPSET_ATTR_CIDR]) {
>  		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
>  
> @@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
>  		ip_to = ip;
>  	}
>  
> -	if (ip_to > map->last_ip)
> +	if (ip < map->first_ip || ip_to > map->last_ip)
>  		return -IPSET_ERR_BITMAP_RANGE;
>  
>  	for (; !before(ip_to, ip); ip += map->hosts) {
> --
> 

-- 
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
         H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt
  2024-11-14 11:29   ` Pablo Neira Ayuso
@ 2024-11-14 11:46     ` Jozsef Kadlecsik
  2024-11-14 12:09       ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2024-11-14 11:46 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: Paolo Abeni, Jeongjun Park, davem, edumazet, kuba, horms, kaber,
	netfilter-devel, coreteam, netdev, linux-kernel, stable,
	syzbot+58c872f7790a4d2ac951

On Thu, 14 Nov 2024, Pablo Neira Ayuso wrote:

> On Thu, Nov 14, 2024 at 12:10:05PM +0100, Paolo Abeni wrote:
> > On 11/13/24 14:02, Jeongjun Park wrote:
> > > When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> > > the values of ip and ip_to are slightly swapped. Therefore, the range check
> > > for ip should be done later, but this part is missing and it seems that the
> > > vulnerability occurs.
> > > 
> > > So we should add missing range checks and remove unnecessary range checks.
> > > 
> > > Cc: <stable@vger.kernel.org>
> > > Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> > > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> > > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> > 
> > @Pablo, @Jozsef: despite the subj prefix, I guess this should go via
> > your tree. Please LMK if you prefer otherwise.
> 
> Patch LGTM. I am waiting for Jozsef to acknowledge this fix.

Sorry for the delay at acking the patch. Please apply it to the stable 
branches too because those are affected as well.

Best regards,
Jozsef
-- 
E-mail : kadlec@netfilter.org, kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
Address: Wigner Research Centre for Physics
         H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt
  2024-11-14 11:46     ` Jozsef Kadlecsik
@ 2024-11-14 12:09       ` Pablo Neira Ayuso
  0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-14 12:09 UTC (permalink / raw)
  To: Jozsef Kadlecsik
  Cc: Paolo Abeni, Jeongjun Park, davem, edumazet, kuba, horms, kaber,
	netfilter-devel, coreteam, netdev, linux-kernel, stable,
	syzbot+58c872f7790a4d2ac951

On Thu, Nov 14, 2024 at 12:46:29PM +0100, Jozsef Kadlecsik wrote:
> On Thu, 14 Nov 2024, Pablo Neira Ayuso wrote:
> 
> > On Thu, Nov 14, 2024 at 12:10:05PM +0100, Paolo Abeni wrote:
> > > On 11/13/24 14:02, Jeongjun Park wrote:
> > > > When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> > > > the values of ip and ip_to are slightly swapped. Therefore, the range check
> > > > for ip should be done later, but this part is missing and it seems that the
> > > > vulnerability occurs.
> > > > 
> > > > So we should add missing range checks and remove unnecessary range checks.
> > > > 
> > > > Cc: <stable@vger.kernel.org>
> > > > Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> > > > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> > > > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> > > 
> > > @Pablo, @Jozsef: despite the subj prefix, I guess this should go via
> > > your tree. Please LMK if you prefer otherwise.
> > 
> > Patch LGTM. I am waiting for Jozsef to acknowledge this fix.
> 
> Sorry for the delay at acking the patch. Please apply it to the stable 
> branches too because those are affected as well.

No problem, preparing PR. Thanks Jozsef.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-11-14 12:09 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-13 13:02 [PATCH net v2] netfilter: ipset: add missing range check in bitmap_ip_uadt Jeongjun Park
2024-11-14 11:10 ` Paolo Abeni
2024-11-14 11:29   ` Pablo Neira Ayuso
2024-11-14 11:46     ` Jozsef Kadlecsik
2024-11-14 12:09       ` Pablo Neira Ayuso
2024-11-14 11:45 ` Jozsef Kadlecsik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).