Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/bridge/netfilter
History
Florian Westphal 5c04da55c7 netfilter: ebtables: reject bogus getopt len value 
syzkaller reports splat:
------------[ cut here ]------------
Buffer overflow detected (80 < 137)!
Call Trace:
 do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
 nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
 ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]

caused by a copy-to-user with a too-large "*len" value.
This adds a argument check on *len just like in the non-compat version
of the handler.

Before the "Fixes" commit, the reproducer fails with -EINVAL as
expected:
1. core calls the "compat" getsockopt version
2. compat getsockopt version detects the *len value is possibly
   in 64-bit layout (*len != compat_len)
3. compat getsockopt version delegates everything to native getsockopt
   version
4. native getsockopt rejects invalid *len

-> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.

After the refactor, event sequence is:
1. getsockopt calls "compat" version (len != native_len)
2. compat version attempts to copy *len bytes, where *len is random
   value from userspace

Fixes: fc66de8e16 ("netfilter/ebtables: clean up compat {get, set}sockopt handling")
Reported-by: syzbot+5accb5c62faa1d346480@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2020-08-14 11:59:08 +02:00
..
Kconfig netfilter: bridge: make NF_TABLES_BRIDGE tristate 2019-07-19 18:08:14 +02:00
Makefile netfilter: nft_meta: move bridge meta keys into nft_meta_bridge 2019-07-05 21:34:47 +02:00
ebt_802_3.c netfilter: inline xt_hashlimit, ebt_802_3 and xt_physdev headers 2019-09-13 12:32:48 +02:00
ebt_among.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_arp.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_arpreply.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_dnat.c bridge: ebtables: don't crash when using dnat target in output chains 2019-11-04 20:58:34 +01:00
ebt_ip.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_ip6.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_limit.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_log.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_mark.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_mark_m.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_nflog.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_pkttype.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_redirect.c netfilter: bridge: convert skb_make_writable to skb_ensure_writable 2019-05-31 18:02:43 +02:00
ebt_snat.c netfilter: bridge: convert skb_make_writable to skb_ensure_writable 2019-05-31 18:02:43 +02:00
ebt_stp.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebt_vlan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
ebtable_broute.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebtable_filter.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebtable_nat.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ebtables.c netfilter: ebtables: reject bogus getopt len value 2020-08-14 11:59:08 +02:00
nf_conntrack_bridge.c netfilter: avoid ipv6 -> nf_defrag_ipv6 module dependency 2020-08-13 04:16:15 +02:00
nf_log_bridge.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nft_meta_bridge.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_reject_bridge.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00