ACK/cmnt: [A][PATCH 1/1] netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

Kleber Souza kleber.souza at canonical.com
Mon May 14 16:29:42 UTC 2018 

On 05/14/18 07:41, Khalid Elmously wrote:
> From: Florian Westphal <fw at strlen.de>
> 
> CVE-2018-1068
> 
> We need to make sure the offsets are not out of range of the
> total size.
> Also check that they are in ascending order.
> 
> The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
> changed to also bail out, no point in continuing parsing.
> 
> Briefly tested with simple ruleset of
> -A INPUT --limit 1/s' --log
> plus jump to custom chains using 32bit ebtables binary.
> 
> Reported-by: <syzbot+845a53d13171abf8bf29 at syzkaller.appspotmail.com>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry-picked from b71812168571fa55e44cdd0254471331b9c4c4c6)
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>

Clean cherry-pick:

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>


As Andy mentioned on the other email, by the CVE matrix it seems that
trusty/linux needs the fix as well.


Thanks,
Kleber


> ---
>  net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 9c6e619f452b..6890bb669197 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -2061,7 +2061,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
>  		if (match_kern)
>  			match_kern->match_size = ret;
>  
> -		WARN_ON(type == EBT_COMPAT_TARGET && size_left);
> +		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
> +			return -EINVAL;
> +
>  		match32 = (struct compat_ebt_entry_mwt *) buf;
>  	}
>  
> @@ -2117,6 +2119,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
>  	 *
>  	 * offsets are relative to beginning of struct ebt_entry (i.e., 0).
>  	 */
> +	for (i = 0; i < 4 ; ++i) {
> +		if (offsets[i] >= *total)
> +			return -EINVAL;
> +		if (i == 0)
> +			continue;
> +		if (offsets[i-1] > offsets[i])
> +			return -EINVAL;
> +	}
> +
>  	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
>  		struct compat_ebt_entry_mwt *match32;
>  		unsigned int size;
>

More information about the kernel-team mailing list