ACK: [SRU][B][F][G][H][PATCH 1/1] netfilter: x_tables: fix compat match/target pad out-of-bound write

Kleber Souza kleber.souza at canonical.com
Fri May 7 10:32:08 UTC 2021


On 07.05.21 08:10, Khalid Elmously wrote:
> From: Florian Westphal <fw at strlen.de>
> 
> BugLink: https://bugs.launchpad.net/bugs/1927682
> 
> xt_compat_match/target_from_user doesn't check that zeroing the area
> to start of next rule won't write past end of allocated ruleset blob.
> 
> Remove this code and zero the entire blob beforehand.
> 
> Reported-by: syzbot+cfc0247ac173f597aaaa at syzkaller.appspotmail.com
> Reported-by: Andy Nguyen <theflow at google.com>
> Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit b29c457a6511435960115c0f548c4360d5f4801d)
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>

Looks good, clean cherry-pick.

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

Thanks

> ---
>   net/ipv4/netfilter/arp_tables.c |  2 ++
>   net/ipv4/netfilter/ip_tables.c  |  2 ++
>   net/ipv6/netfilter/ip6_tables.c |  2 ++
>   net/netfilter/x_tables.c        | 10 ++--------
>   4 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
> index e81eeb2389f92a..fc769df15c100b 100644
> --- a/net/ipv4/netfilter/arp_tables.c
> +++ b/net/ipv4/netfilter/arp_tables.c
> @@ -1230,6 +1230,8 @@ static int translate_compat_table(struct net *net,
>   	if (!newinfo)
>   		goto out_unlock;
>   
> +	memset(newinfo->entries, 0, size);
> +
>   	newinfo->number = compatr->num_entries;
>   	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
>   		newinfo->hook_entry[i] = compatr->hook_entry[i];
> diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> index d5bd759a7ebaed..986d8538fb4ced 100644
> --- a/net/ipv4/netfilter/ip_tables.c
> +++ b/net/ipv4/netfilter/ip_tables.c
> @@ -1467,6 +1467,8 @@ translate_compat_table(struct net *net,
>   	if (!newinfo)
>   		goto out_unlock;
>   
> +	memset(newinfo->entries, 0, size);
> +
>   	newinfo->number = compatr->num_entries;
>   	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
>   		newinfo->hook_entry[i] = compatr->hook_entry[i];
> diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
> index 8e2985fc1ebc01..2cfce6eb98b43d 100644
> --- a/net/ipv6/netfilter/ip6_tables.c
> +++ b/net/ipv6/netfilter/ip6_tables.c
> @@ -1483,6 +1483,8 @@ translate_compat_table(struct net *net,
>   	if (!newinfo)
>   		goto out_unlock;
>   
> +	memset(newinfo->entries, 0, size);
> +
>   	newinfo->number = compatr->num_entries;
>   	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
>   		newinfo->hook_entry[i] = compatr->hook_entry[i];
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 4638d42a22e405..d40acfce300764 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -636,7 +636,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
>   {
>   	const struct xt_match *match = m->u.kernel.match;
>   	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
> -	int pad, off = xt_compat_match_offset(match);
> +	int off = xt_compat_match_offset(match);
>   	u_int16_t msize = cm->u.user.match_size;
>   	char name[sizeof(m->u.user.name)];
>   
> @@ -646,9 +646,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
>   		match->compat_from_user(m->data, cm->data);
>   	else
>   		memcpy(m->data, cm->data, msize - sizeof(*cm));
> -	pad = XT_ALIGN(match->matchsize) - match->matchsize;
> -	if (pad > 0)
> -		memset(m->data + match->matchsize, 0, pad);
>   
>   	msize += off;
>   	m->u.user.match_size = msize;
> @@ -991,7 +988,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
>   {
>   	const struct xt_target *target = t->u.kernel.target;
>   	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
> -	int pad, off = xt_compat_target_offset(target);
> +	int off = xt_compat_target_offset(target);
>   	u_int16_t tsize = ct->u.user.target_size;
>   	char name[sizeof(t->u.user.name)];
>   
> @@ -1001,9 +998,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
>   		target->compat_from_user(t->data, ct->data);
>   	else
>   		memcpy(t->data, ct->data, tsize - sizeof(*ct));
> -	pad = XT_ALIGN(target->targetsize) - target->targetsize;
> -	if (pad > 0)
> -		memset(t->data + target->targetsize, 0, pad);
>   
>   	tsize += off;
>   	t->u.user.target_size = tsize;
> 




More information about the kernel-team mailing list