[PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages
@ 2016-02-02 18:36 phil.turnbull
  2016-02-15 19:27 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: phil.turnbull @ 2016-02-02 18:36 UTC (permalink / raw)
  To: netfilter-devel
  Cc: Phil Turnbull, Pablo Neira Ayuso, Patrick McHardy,
	Jozsef Kadlecsik, David S. Miller,
	open list:NETFILTER ({IP,IP6,ARP,EB,NF}TABLES),
	open list:NETWORKING [GENERAL], open list

From: Phil Turnbull <phil.turnbull@oracle.com>

If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.

The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.

If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:

    [   41.455421] ==================================================================
    [   41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
    [   41.456431] Read of size 4294967280 by task a.out/987
    [   41.456431] =============================================================================
    [   41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    [   41.456431] -----------------------------------------------------------------------------
    ...
    [   41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00  ................
    [   41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00   ...............
    [   41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05  .......@EV."3...
    [   41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb  ................
                                            ^^ start of batch nlmsg with
                                               nlmsg_len=4294967280
    ...
    [   41.456431] Memory state around the buggy address:
    [   41.456431]  ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   41.456431]  ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
    [   41.456431]                                ^
    [   41.456431]  ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [   41.456431]  ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
    [   41.456431] ==================================================================

Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.

CAP_NET_ADMIN is required to trigger the bugs.

Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
---
 net/netfilter/nfnetlink.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 62e92af..857ae89 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -328,10 +328,12 @@ replay:
 		nlh = nlmsg_hdr(skb);
 		err = 0;
 
-		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
-		    skb->len < nlh->nlmsg_len) {
-			err = -EINVAL;
-			goto ack;
+		if (nlh->nlmsg_len < NLMSG_HDRLEN ||
+		    skb->len < nlh->nlmsg_len ||
+		    nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
+			nfnl_err_reset(&err_list);
+			status |= NFNL_BATCH_FAILURE;
+			goto done;
 		}
 
 		/* Only requests are handled by the kernel */
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages
  2016-02-02 18:36 [PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages phil.turnbull
@ 2016-02-15 19:27 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-02-15 19:27 UTC (permalink / raw)
  To: phil.turnbull
  Cc: netfilter-devel, Patrick McHardy, Jozsef Kadlecsik,
	David S. Miller, open list:NETFILTER ({IP,IP6,ARP,EB,NF}TABLES),
	open list:NETWORKING [GENERAL], open list

On Tue, Feb 02, 2016 at 01:36:45PM -0500, phil.turnbull@oracle.com wrote:
> From: Phil Turnbull <phil.turnbull@oracle.com>
> 
> If nlh->nlmsg_len is zero then an infinite loop is triggered because
> 'skb_pull(skb, msglen);' pulls zero bytes.
> 
> The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
> NLMSG_HDRLEN' which bypasses the length validation and will later
> trigger an out-of-bound read.
> 
> If the length validation does fail then the malformed batch message is
> copied back to userspace. However, we cannot do this because the
> nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
> netlink_ack:
> 
>     [   41.455421] ==================================================================
>     [   41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
>     [   41.456431] Read of size 4294967280 by task a.out/987
>     [   41.456431] =============================================================================
>     [   41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
>     [   41.456431] -----------------------------------------------------------------------------
>     ...
>     [   41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00  ................
>     [   41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00   ...............
>     [   41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05  .......@EV."3...
>     [   41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb  ................
>                                             ^^ start of batch nlmsg with
>                                                nlmsg_len=4294967280
>     ...
>     [   41.456431] Memory state around the buggy address:
>     [   41.456431]  ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>     [   41.456431]  ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>     [   41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>     [   41.456431]                                ^
>     [   41.456431]  ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>     [   41.456431]  ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
>     [   41.456431] ==================================================================
> 
> Fix this with better validation of nlh->nlmsg_len and by setting
> NFNL_BATCH_FAILURE if any batch message fails length validation.
> 
> CAP_NET_ADMIN is required to trigger the bugs.

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-02-15 19:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-02 18:36 [PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages phil.turnbull
2016-02-15 19:27 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).