* iptables: ensure number of counters is >0 in do_replace() @ 2015-05-19 23:11 Dave Jones 2015-05-19 23:19 ` Florian Westphal 0 siblings, 1 reply; 6+ messages in thread From: Dave Jones @ 2015-05-19 23:11 UTC (permalink / raw) To: netfilter-devel; +Cc: netdev After improving setsockopt() coverage in trinity, I started triggering vmalloc failures pretty reliably from this code path: warn_alloc_failed+0xe9/0x140 __vmalloc_node_range+0x1be/0x270 vzalloc+0x4b/0x50 __do_replace+0x52/0x260 [ip_tables] do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] nf_setsockopt+0x65/0x90 ip_setsockopt+0x61/0xa0 raw_setsockopt+0x16/0x60 sock_common_setsockopt+0x14/0x20 SyS_setsockopt+0x71/0xd0 It turns out we don't validate that the num_counters field in the struct we pass in from userspace is initialized. Signed-off-by: Dave Jones <davej@codemonkey.org.uk> diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index c69db7fa25ee..12a33d178614 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) /* overflow check */ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: iptables: ensure number of counters is >0 in do_replace() 2015-05-19 23:11 iptables: ensure number of counters is >0 in do_replace() Dave Jones @ 2015-05-19 23:19 ` Florian Westphal 2015-05-19 23:42 ` Dave Jones 0 siblings, 1 reply; 6+ messages in thread From: Florian Westphal @ 2015-05-19 23:19 UTC (permalink / raw) To: Dave Jones; +Cc: netfilter-devel, netdev Dave Jones <davej@codemonkey.org.uk> wrote: > After improving setsockopt() coverage in trinity, I started triggering > vmalloc failures pretty reliably from this code path: > > warn_alloc_failed+0xe9/0x140 > __vmalloc_node_range+0x1be/0x270 > vzalloc+0x4b/0x50 > __do_replace+0x52/0x260 [ip_tables] > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] > nf_setsockopt+0x65/0x90 > ip_setsockopt+0x61/0xa0 > raw_setsockopt+0x16/0x60 > sock_common_setsockopt+0x14/0x20 > SyS_setsockopt+0x71/0xd0 > > It turns out we don't validate that the num_counters field in the > struct we pass in from userspace is initialized. > > Signed-off-by: Dave Jones <davej@codemonkey.org.uk> > > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c > index c69db7fa25ee..12a33d178614 100644 > --- a/net/ipv4/netfilter/ip_tables.c > +++ b/net/ipv4/netfilter/ip_tables.c > @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) > /* overflow check */ > if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) > return -ENOMEM; > + if (tmp.num_counters == 0) > + return -EINVAL; > + Good catch. Due to iptables wonderful copy-paste programming model, this also needs fixing in compat_do_replace, ip6tables, arbtables and ebtables (8 different places, ick). ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables: ensure number of counters is >0 in do_replace() 2015-05-19 23:19 ` Florian Westphal @ 2015-05-19 23:42 ` Dave Jones 2015-05-20 0:20 ` David Miller 0 siblings, 1 reply; 6+ messages in thread From: Dave Jones @ 2015-05-19 23:42 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel, netdev On Wed, May 20, 2015 at 01:19:50AM +0200, Florian Westphal wrote: > Dave Jones <davej@codemonkey.org.uk> wrote: > > After improving setsockopt() coverage in trinity, I started triggering > > vmalloc failures pretty reliably from this code path: > > > > warn_alloc_failed+0xe9/0x140 > > __vmalloc_node_range+0x1be/0x270 > > vzalloc+0x4b/0x50 > > __do_replace+0x52/0x260 [ip_tables] > > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] > > nf_setsockopt+0x65/0x90 > > ip_setsockopt+0x61/0xa0 > > raw_setsockopt+0x16/0x60 > > sock_common_setsockopt+0x14/0x20 > > SyS_setsockopt+0x71/0xd0 > > > > It turns out we don't validate that the num_counters field in the > > struct we pass in from userspace is initialized. > > > > Signed-off-by: Dave Jones <davej@codemonkey.org.uk> > > > > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c > > index c69db7fa25ee..12a33d178614 100644 > > --- a/net/ipv4/netfilter/ip_tables.c > > +++ b/net/ipv4/netfilter/ip_tables.c > > @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) > > /* overflow check */ > > if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) > > return -ENOMEM; > > + if (tmp.num_counters == 0) > > + return -EINVAL; > > + > > Good catch. Due to iptables wonderful copy-paste programming model, > this also needs fixing in compat_do_replace, ip6tables, arbtables and > ebtables (8 different places, ick). ugh. ok, I'll fix them all up. What's the preferred format, 8 separate patches, or 1 all-in-one diff for all instances of this bug ? thanks, Dave ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: iptables: ensure number of counters is >0 in do_replace() 2015-05-19 23:42 ` Dave Jones @ 2015-05-20 0:20 ` David Miller 2015-05-20 0:55 ` netfilter: " Dave Jones 0 siblings, 1 reply; 6+ messages in thread From: David Miller @ 2015-05-20 0:20 UTC (permalink / raw) To: davej; +Cc: fw, netfilter-devel, netdev From: Dave Jones <davej@codemonkey.org.uk> Date: Tue, 19 May 2015 19:42:52 -0400 > What's the preferred format, 8 separate patches, or 1 all-in-one > diff for all instances of this bug ? Personally, I think you could do this in one patch. ^ permalink raw reply [flat|nested] 6+ messages in thread
* netfilter: ensure number of counters is >0 in do_replace() 2015-05-20 0:20 ` David Miller @ 2015-05-20 0:55 ` Dave Jones 2015-05-21 11:42 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: Dave Jones @ 2015-05-20 0:55 UTC (permalink / raw) To: netfilter-devel; +Cc: netdev, fw, David Miller After improving setsockopt() coverage in trinity, I started triggering vmalloc failures pretty reliably from this code path: warn_alloc_failed+0xe9/0x140 __vmalloc_node_range+0x1be/0x270 vzalloc+0x4b/0x50 __do_replace+0x52/0x260 [ip_tables] do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] nf_setsockopt+0x65/0x90 ip_setsockopt+0x61/0xa0 raw_setsockopt+0x16/0x60 sock_common_setsockopt+0x14/0x20 SyS_setsockopt+0x71/0xd0 It turns out we don't validate that the num_counters field in the struct we pass in from userspace is initialized. The same problem also exists in ebtables, arptables, ipv6, and the compat variants. Signed-off-by: Dave Jones <davej@codemonkey.org.uk> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 91180a7fc943..24c7c96bf5f8 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1117,6 +1117,8 @@ static int do_replace(struct net *net, const void __user *user, return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; tmp.name[sizeof(tmp.name) - 1] = 0; @@ -2159,6 +2161,8 @@ static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl, return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry)); diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 13bfe84bf3ca..a61200754f4b 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1075,6 +1075,9 @@ static int do_replace(struct net *net, const void __user *user, /* overflow check */ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); @@ -1499,6 +1502,9 @@ static int compat_do_replace(struct net *net, void __user *user, return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index c69db7fa25ee..2d0e265fef6e 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) /* overflow check */ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); @@ -1809,6 +1812,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 1a732a1d3c8e..62f5b0d0bc9b 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1275,6 +1275,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) /* overflow check */ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); @@ -1822,6 +1825,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) return -ENOMEM; if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size); ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: netfilter: ensure number of counters is >0 in do_replace() 2015-05-20 0:55 ` netfilter: " Dave Jones @ 2015-05-21 11:42 ` Pablo Neira Ayuso 0 siblings, 0 replies; 6+ messages in thread From: Pablo Neira Ayuso @ 2015-05-21 11:42 UTC (permalink / raw) To: Dave Jones; +Cc: netfilter-devel, netdev, fw, David Miller On Tue, May 19, 2015 at 08:55:17PM -0400, Dave Jones wrote: > After improving setsockopt() coverage in trinity, I started triggering > vmalloc failures pretty reliably from this code path: > > warn_alloc_failed+0xe9/0x140 > __vmalloc_node_range+0x1be/0x270 > vzalloc+0x4b/0x50 > __do_replace+0x52/0x260 [ip_tables] > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] > nf_setsockopt+0x65/0x90 > ip_setsockopt+0x61/0xa0 > raw_setsockopt+0x16/0x60 > sock_common_setsockopt+0x14/0x20 > SyS_setsockopt+0x71/0xd0 > > It turns out we don't validate that the num_counters field in the > struct we pass in from userspace is initialized. > > The same problem also exists in ebtables, arptables, ipv6, and the > compat variants. Applied. This also applies to -stable kernels: 3.2.x 3.4.x 3.10.x 3.12.x 3.14.x 3.18.x 4.0.x so after some testing and a little while, I'll pass this on. Thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-05-21 11:37 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-05-19 23:11 iptables: ensure number of counters is >0 in do_replace() Dave Jones 2015-05-19 23:19 ` Florian Westphal 2015-05-19 23:42 ` Dave Jones 2015-05-20 0:20 ` David Miller 2015-05-20 0:55 ` netfilter: " Dave Jones 2015-05-21 11:42 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).