From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, hch@lst.de,
syzkaller-bugs@googlegroups.com, netdev@vger.kernel.org,
syzbot+5accb5c62faa1d346480@syzkaller.appspotmail.com
Subject: Re: [PATCH nf] netfilter/ebtables: reject bogus getopt len value
Date: Fri, 14 Aug 2020 11:59:43 +0200 [thread overview]
Message-ID: <20200814095943.GC5816@salvia> (raw)
In-Reply-To: <20200813074611.281558-1-fw@strlen.de>
On Thu, Aug 13, 2020 at 09:46:11AM +0200, Florian Westphal wrote:
> syzkaller reports splat:
> ------------[ cut here ]------------
> Buffer overflow detected (80 < 137)!
> Call Trace:
> do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
> nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
> ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
>
> caused by a copy-to-user with a too-large "*len" value.
> This adds a argument check on *len just like in the non-compat version
> of the handler.
>
> Before the "Fixes" commit, the reproducer fails with -EINVAL as
> expected:
> 1. core calls the "compat" getsockopt version
> 2. compat getsockopt version detects the *len value is possibly
> in 64-bit layout (*len != compat_len)
> 3. compat getsockopt version delegates everything to native getsockopt
> version
> 4. native getsockopt rejects invalid *len
>
> -> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.
>
> After the refactor, event sequence is:
> 1. getsockopt calls "compat" version (len != native_len)
> 2. compat version attempts to copy *len bytes, where *len is random
> value from userspace
Applied, thanks.
prev parent reply other threads:[~2020-08-14 9:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-07 2:26 WARNING in compat_do_ebt_get_ctl syzbot
2020-08-13 3:45 ` syzbot
2020-08-13 7:46 ` [PATCH nf] netfilter/ebtables: reject bogus getopt len value Florian Westphal
2020-08-13 15:40 ` Christoph Hellwig
2020-08-13 16:05 ` Jakub Kicinski
2020-08-14 9:59 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200814095943.GC5816@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=hch@lst.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+5accb5c62faa1d346480@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).