ACK: [SRU][Wily][PATCH] UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow

Brad Figg brad.figg at canonical.com
Thu Mar 10 20:51:07 UTC 2016


On Thu, Mar 10, 2016 at 12:58:37PM -0600, Chris J Arges wrote:
> From: Florian Westphal <fw at strlen.de>
> 
> BugLink: http://bugs.launchpad.net/bugs/1555353
> 
> http://marc.info/?l=netfilter-devel&m=145757136822750&w=2
> 
> Ben Hawkes says:
>  integer overflow in xt_alloc_table_info, which on 32-bit systems can
>  lead to small structure allocation and a copy_from_user based heap
>  corruption.
> 
> Reported-by: Ben Hawkes <hawkes at google.com>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> Signed-off-by: Chris J Arges <chris.j.arges at canonical.com>
> ---
>  net/netfilter/x_tables.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index d324fe7..7884241 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -661,6 +661,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
>  	struct xt_table_info *info = NULL;
>  	size_t sz = sizeof(*info) + size;
>  
> +	if (sz < size || sz < sizeof(*info))
> +		return NULL;
> +
>  	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
>  	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
>  		return NULL;
> -- 
> 2.7.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team



-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list