]>
Commit | Line | Data |
---|---|---|
7f87a3cd SL |
1 | From c45826228a42a4b51d8ec1e29bc6e4d8f099ff71 Mon Sep 17 00:00:00 2001 |
2 | From: Sasha Levin <sashal@kernel.org> | |
3 | Date: Tue, 9 Apr 2024 12:07:41 +0000 | |
4 | Subject: netfilter: complete validation of user input | |
5 | ||
6 | From: Eric Dumazet <edumazet@google.com> | |
7 | ||
8 | [ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ] | |
9 | ||
10 | In my recent commit, I missed that do_replace() handlers | |
11 | use copy_from_sockptr() (which I fixed), followed | |
12 | by unsafe copy_from_sockptr_offset() calls. | |
13 | ||
14 | In all functions, we can perform the @optlen validation | |
15 | before even calling xt_alloc_table_info() with the following | |
16 | check: | |
17 | ||
18 | if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) | |
19 | return -EINVAL; | |
20 | ||
21 | Fixes: 0c83842df40f ("netfilter: validate user input for expected length") | |
22 | Reported-by: syzbot <syzkaller@googlegroups.com> | |
23 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
24 | Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> | |
25 | Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com | |
26 | Signed-off-by: Jakub Kicinski <kuba@kernel.org> | |
27 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
28 | --- | |
29 | net/ipv4/netfilter/arp_tables.c | 4 ++++ | |
30 | net/ipv4/netfilter/ip_tables.c | 4 ++++ | |
31 | net/ipv6/netfilter/ip6_tables.c | 4 ++++ | |
32 | 3 files changed, 12 insertions(+) | |
33 | ||
34 | diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c | |
35 | index 48c6aa3d91ae8..5823e89b8a734 100644 | |
36 | --- a/net/ipv4/netfilter/arp_tables.c | |
37 | +++ b/net/ipv4/netfilter/arp_tables.c | |
38 | @@ -965,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) | |
39 | return -ENOMEM; | |
40 | if (tmp.num_counters == 0) | |
41 | return -EINVAL; | |
42 | + if ((u64)len < (u64)tmp.size + sizeof(tmp)) | |
43 | + return -EINVAL; | |
44 | ||
45 | tmp.name[sizeof(tmp.name)-1] = 0; | |
46 | ||
47 | @@ -1265,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) | |
48 | return -ENOMEM; | |
49 | if (tmp.num_counters == 0) | |
50 | return -EINVAL; | |
51 | + if ((u64)len < (u64)tmp.size + sizeof(tmp)) | |
52 | + return -EINVAL; | |
53 | ||
54 | tmp.name[sizeof(tmp.name)-1] = 0; | |
55 | ||
56 | diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c | |
57 | index b46d58b9f3fe4..22e9ff592cd75 100644 | |
58 | --- a/net/ipv4/netfilter/ip_tables.c | |
59 | +++ b/net/ipv4/netfilter/ip_tables.c | |
60 | @@ -1119,6 +1119,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) | |
61 | return -ENOMEM; | |
62 | if (tmp.num_counters == 0) | |
63 | return -EINVAL; | |
64 | + if ((u64)len < (u64)tmp.size + sizeof(tmp)) | |
65 | + return -EINVAL; | |
66 | ||
67 | tmp.name[sizeof(tmp.name)-1] = 0; | |
68 | ||
69 | @@ -1505,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) | |
70 | return -ENOMEM; | |
71 | if (tmp.num_counters == 0) | |
72 | return -EINVAL; | |
73 | + if ((u64)len < (u64)tmp.size + sizeof(tmp)) | |
74 | + return -EINVAL; | |
75 | ||
76 | tmp.name[sizeof(tmp.name)-1] = 0; | |
77 | ||
78 | diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c | |
79 | index d013395be05fc..df7cd3d285e4f 100644 | |
80 | --- a/net/ipv6/netfilter/ip6_tables.c | |
81 | +++ b/net/ipv6/netfilter/ip6_tables.c | |
82 | @@ -1137,6 +1137,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) | |
83 | return -ENOMEM; | |
84 | if (tmp.num_counters == 0) | |
85 | return -EINVAL; | |
86 | + if ((u64)len < (u64)tmp.size + sizeof(tmp)) | |
87 | + return -EINVAL; | |
88 | ||
89 | tmp.name[sizeof(tmp.name)-1] = 0; | |
90 | ||
91 | @@ -1515,6 +1517,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) | |
92 | return -ENOMEM; | |
93 | if (tmp.num_counters == 0) | |
94 | return -EINVAL; | |
95 | + if ((u64)len < (u64)tmp.size + sizeof(tmp)) | |
96 | + return -EINVAL; | |
97 | ||
98 | tmp.name[sizeof(tmp.name)-1] = 0; | |
99 | ||
100 | -- | |
101 | 2.43.0 | |
102 |