From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ben Hawkes <hawkes@google.com>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values
Date: Thu, 10 Mar 2016 17:22:08 +0100 [thread overview]
Message-ID: <20160310162208.GB1526@salvia> (raw)
In-Reply-To: <CABWXx8Ek1PbyPnw6mcsGeMTseDUpqW3deFipOBMmS-+7EszZeA@mail.gmail.com>
On Thu, Mar 10, 2016 at 06:41:24AM -0800, Ben Hawkes wrote:
> On Thu, Mar 10, 2016 at 6:12 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Thu, Mar 10, 2016 at 01:56:02AM +0100, Florian Westphal wrote:
> >> Ben Hawkes says:
> >>
> >> In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
> >> is possible for a user-supplied ipt_entry structure to have a large
> >> next_offset field. This field is not bounds checked prior to writing a
> >> counter value at the supplied offset.
> >>
> >> Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
> >> is out of bounds, assuming this is the last entry.
> >>
> >> With malformed data thats not necessarily the case so we can
> >> write outside of allocated area later as we might not have walked the
> >> entire blob.
> >>
> >> Fix this by simplifying mark_source_chains -- it already has to check
> >> if nextoff is in range to catch invalid jumps, so just do the check
> >> when we move to a next entry as well.
> >
> > Thanks for posting this patch so fast Florian.
> >
> > It's sad that Ben didn't even take the time to reach the people that
> > the MAINTAINERS file shows in first place *sigh*.
>
> What is sad about this precisely? I followed the documented process
> for reporting a security issue
> (https://www.kernel.org/doc/Documentation/SecurityBugs), and then
> followed the instructions I received from this list. If you have a
> problem with my actions, then I suggest you raise this with
> security@kernel.org.
As in any kind of bug, you should Cc maintainers of the corresponding
subsystem. In that sense, as in any kind of bug, it would be nice if
you participate testing and reviewing the patches that were posted to
address the bug.
Thanks.
next prev parent reply other threads:[~2016-03-10 16:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-10 0:56 [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values Florian Westphal
2016-03-10 14:12 ` Pablo Neira Ayuso
2016-03-10 14:41 ` Ben Hawkes
2016-03-10 16:22 ` Pablo Neira Ayuso [this message]
2016-03-18 13:03 ` Michal Kubecek
2016-03-18 22:02 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160310162208.GB1526@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=hawkes@google.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).