Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:28 +0200
committerDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:38 +0200
commite0b498c5ab84b9a37f4d706cc5cfa90f299d050b (patch)
treeadc0544307812708513ad38587368484e877ccd9
parent00ff2bfd310d3bae8480d28025b4b125fd02fb0f (diff)
netfilter: x_tables: avoid out-of-bounds reads in
xt_request_find_{match|target} (git-fixes).
-rw-r--r--patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch53
-rw-r--r--series.conf1
2 files changed, 54 insertions, 0 deletions
diff --git a/patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch b/patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch
new file mode 100644
index 0000000000..5d374acf3a
--- /dev/null
+++ b/patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch
@@ -0,0 +1,53 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: netfilter: x_tables: avoid out-of-bounds reads in
+ xt_request_find_{match|target}
+Patch-mainline: v4.16-rc1
+Git-commit: da17c73b6eb74aad3c3c0654394635675b623b3e
+References: git-fixes
+
+It looks like syzbot found its way into netfilter territory.
+
+Issue here is that @name comes from user space and might
+not be null terminated.
+
+Out-of-bound reads happen, KASAN is not happy.
+
+v2 added similar fix for xt_request_find_target(),
+as Florian advised.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/x_tables.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index ed01d01e6871..32fe10a98fae 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -209,6 +209,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
+ {
+ struct xt_match *match;
+
++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
++ return ERR_PTR(-EINVAL);
++
+ match = xt_find_match(nfproto, name, revision);
+ if (IS_ERR(match)) {
+ request_module("%st_%s", xt_prefix[nfproto], name);
+@@ -251,6 +254,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
+ {
+ struct xt_target *target;
+
++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
++ return ERR_PTR(-EINVAL);
++
+ target = xt_find_target(af, name, revision);
+ if (IS_ERR(target)) {
+ request_module("%st_%s", xt_prefix[af], name);
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index 318618926d..951f50c918 100644
--- a/series.conf
+++ b/series.conf
@@ -13196,6 +13196,7 @@
patches.fixes/openvswitch-Remove-padding-from-packet-before-L3-con.patch
patches.suse/rocker-fix-possible-null-pointer-dereference-in-rock.patch
patches.fixes/0003-netfilter-x_tables-fix-int-overflow-in-xt_alloc_tabl.patch
+ patches.fixes/0004-netfilter-x_tables-avoid-out-of-bounds-reads-in-xt_r.patch
patches.fixes/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch
patches.fixes/netfilter-ipt_CLUSTERIP-fix-out-of-bounds-accesses-i.patch
patches.fixes/netfilter-on-sockopt-acquire-sock-lock-only-in-the-r.patch