Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:28 +0200
committerDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:36 +0200
commit00ff2bfd310d3bae8480d28025b4b125fd02fb0f (patch)
treef31556cb71fb66d54de90ac6898aec1430eb4e92
parente39197c088f4ef2a7a330424a871efac7687272d (diff)
netfilter: x_tables: fix int overflow in xt_alloc_table_info()
(git-fixes).
-rw-r--r--patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch46
-rw-r--r--series.conf1
2 files changed, 47 insertions, 0 deletions
diff --git a/patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch b/patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
new file mode 100644
index 0000000000..687fe52749
--- /dev/null
+++ b/patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
@@ -0,0 +1,46 @@
+From: Dmitry Vyukov <dvyukov@google.com>
+Subject: netfilter: x_tables: fix int overflow in
+ xt_alloc_table_info()
+Patch-mainline: v4.16-rc1
+Git-commit: 889c604fd0b5f6d3b8694ade229ee44124de1127
+References: git-fixes
+
+syzkaller triggered OOM kills by passing ipt_replace.size = -1
+to IPT_SO_SET_REPLACE. The root cause is that SMP_ALIGN() in
+xt_alloc_table_info() causes int overflow and the size check passes
+when it should not. SMP_ALIGN() is no longer needed leftover.
+
+Remove SMP_ALIGN() call in xt_alloc_table_info().
+
+Reported-by: syzbot+4396883fa8c4f64e0175@syzkaller.appspotmail.com
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/x_tables.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index 2d1d580cf9d0..ed01d01e6871 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -39,7 +39,6 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+ MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
+
+-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
+ #define XT_PCPU_BLOCK_SIZE 4096
+
+ struct compat_delta {
+@@ -1000,7 +999,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
+ return NULL;
+
+ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+- if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
++ if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
+ return NULL;
+
+ if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index ec55c7cb76..318618926d 100644
--- a/series.conf
+++ b/series.conf
@@ -13195,6 +13195,7 @@
patches.fixes/tcp_bbr-fix-pacing_gain-to-always-be-unity-when-usin.patch
patches.fixes/openvswitch-Remove-padding-from-packet-before-L3-con.patch
patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch
+ patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
patches.fixes/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch
patches.fixes/netfilter-ipt_CLUSTERIP-fix-out-of-bounds-accesses-i.patch
patches.fixes/netfilter-on-sockopt-acquire-sock-lock-only-in-the-r.patch