APPLIED[F/B]: [SRU][B][F][G][H][PATCH 1/1] netfilter: x_tables: fix compat match/target pad out-of-bound write

Kelsey Skunberg kelsey.skunberg at canonical.com
Sat May 8 00:07:58 UTC 2021 

This was applied via an upstream patchset on F/B master-next. Thank you! 

-Kelsey

On 2021-05-07 02:10:41 , Khalid Elmously wrote:
> From: Florian Westphal <fw at strlen.de>
> 
> BugLink: https://bugs.launchpad.net/bugs/1927682
> 
> xt_compat_match/target_from_user doesn't check that zeroing the area
> to start of next rule won't write past end of allocated ruleset blob.
> 
> Remove this code and zero the entire blob beforehand.
> 
> Reported-by: syzbot+cfc0247ac173f597aaaa at syzkaller.appspotmail.com
> Reported-by: Andy Nguyen <theflow at google.com>
> Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit b29c457a6511435960115c0f548c4360d5f4801d)
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
> ---
>  net/ipv4/netfilter/arp_tables.c |  2 ++
>  net/ipv4/netfilter/ip_tables.c  |  2 ++
>  net/ipv6/netfilter/ip6_tables.c |  2 ++
>  net/netfilter/x_tables.c        | 10 ++--------
>  4 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
> index e81eeb2389f92a..fc769df15c100b 100644
> --- a/net/ipv4/netfilter/arp_tables.c
> +++ b/net/ipv4/netfilter/arp_tables.c
> @@ -1230,6 +1230,8 @@ static int translate_compat_table(struct net *net,
>  	if (!newinfo)
>  		goto out_unlock;
>  
> +	memset(newinfo->entries, 0, size);
> +
>  	newinfo->number = compatr->num_entries;
>  	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
>  		newinfo->hook_entry[i] = compatr->hook_entry[i];
> diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> index d5bd759a7ebaed..986d8538fb4ced 100644
> --- a/net/ipv4/netfilter/ip_tables.c
> +++ b/net/ipv4/netfilter/ip_tables.c
> @@ -1467,6 +1467,8 @@ translate_compat_table(struct net *net,
>  	if (!newinfo)
>  		goto out_unlock;
>  
> +	memset(newinfo->entries, 0, size);
> +
>  	newinfo->number = compatr->num_entries;
>  	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
>  		newinfo->hook_entry[i] = compatr->hook_entry[i];
> diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
> index 8e2985fc1ebc01..2cfce6eb98b43d 100644
> --- a/net/ipv6/netfilter/ip6_tables.c
> +++ b/net/ipv6/netfilter/ip6_tables.c
> @@ -1483,6 +1483,8 @@ translate_compat_table(struct net *net,
>  	if (!newinfo)
>  		goto out_unlock;
>  
> +	memset(newinfo->entries, 0, size);
> +
>  	newinfo->number = compatr->num_entries;
>  	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
>  		newinfo->hook_entry[i] = compatr->hook_entry[i];
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 4638d42a22e405..d40acfce300764 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -636,7 +636,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
>  {
>  	const struct xt_match *match = m->u.kernel.match;
>  	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
> -	int pad, off = xt_compat_match_offset(match);
> +	int off = xt_compat_match_offset(match);
>  	u_int16_t msize = cm->u.user.match_size;
>  	char name[sizeof(m->u.user.name)];
>  
> @@ -646,9 +646,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
>  		match->compat_from_user(m->data, cm->data);
>  	else
>  		memcpy(m->data, cm->data, msize - sizeof(*cm));
> -	pad = XT_ALIGN(match->matchsize) - match->matchsize;
> -	if (pad > 0)
> -		memset(m->data + match->matchsize, 0, pad);
>  
>  	msize += off;
>  	m->u.user.match_size = msize;
> @@ -991,7 +988,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
>  {
>  	const struct xt_target *target = t->u.kernel.target;
>  	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
> -	int pad, off = xt_compat_target_offset(target);
> +	int off = xt_compat_target_offset(target);
>  	u_int16_t tsize = ct->u.user.target_size;
>  	char name[sizeof(t->u.user.name)];
>  
> @@ -1001,9 +998,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
>  		target->compat_from_user(t->data, ct->data);
>  	else
>  		memcpy(t->data, ct->data, tsize - sizeof(*ct));
> -	pad = XT_ALIGN(target->targetsize) - target->targetsize;
> -	if (pad > 0)
> -		memset(t->data + target->targetsize, 0, pad);
>  
>  	tsize += off;
>  	t->u.user.target_size = tsize;
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list