ACK: [SRU][Wily][PATCH] UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow
Brad Figg
brad.figg at canonical.com
Thu Mar 10 20:51:07 UTC 2016
On Thu, Mar 10, 2016 at 12:58:37PM -0600, Chris J Arges wrote:
> From: Florian Westphal <fw at strlen.de>
>
> BugLink: http://bugs.launchpad.net/bugs/1555353
>
> http://marc.info/?l=netfilter-devel&m=145757136822750&w=2
>
> Ben Hawkes says:
> integer overflow in xt_alloc_table_info, which on 32-bit systems can
> lead to small structure allocation and a copy_from_user based heap
> corruption.
>
> Reported-by: Ben Hawkes <hawkes at google.com>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> Signed-off-by: Chris J Arges <chris.j.arges at canonical.com>
> ---
> net/netfilter/x_tables.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index d324fe7..7884241 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -661,6 +661,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
> struct xt_table_info *info = NULL;
> size_t sz = sizeof(*info) + size;
>
> + if (sz < size || sz < sizeof(*info))
> + return NULL;
> +
> /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
> if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
> return NULL;
> --
> 2.7.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list