[thirdparty/kernel/stable-queue.git] / queue-5.10 / netfilter-complete-validation-of-user-input.patch

From c45826228a42a4b51d8ec1e29bc6e4d8f099ff71 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Tue, 9 Apr 2024 12:07:41 +0000
Subject: netfilter: complete validation of user input

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]

In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.

In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:

if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
        return -EINVAL;

Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/netfilter/arp_tables.c | 4 ++++
 net/ipv4/netfilter/ip_tables.c  | 4 ++++
 net/ipv6/netfilter/ip6_tables.c | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 48c6aa3d91ae8..5823e89b8a734 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -965,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
 		return -ENOMEM;
 	if (tmp.num_counters == 0)
 		return -EINVAL;
+	if ((u64)len < (u64)tmp.size + sizeof(tmp))
+		return -EINVAL;
 
 	tmp.name[sizeof(tmp.name)-1] = 0;
 
@@ -1265,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
 		return -ENOMEM;
 	if (tmp.num_counters == 0)
 		return -EINVAL;
+	if ((u64)len < (u64)tmp.size + sizeof(tmp))
+		return -EINVAL;
 
 	tmp.name[sizeof(tmp.name)-1] = 0;
 
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b46d58b9f3fe4..22e9ff592cd75 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1119,6 +1119,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
 		return -ENOMEM;
 	if (tmp.num_counters == 0)
 		return -EINVAL;
+	if ((u64)len < (u64)tmp.size + sizeof(tmp))
+		return -EINVAL;
 
 	tmp.name[sizeof(tmp.name)-1] = 0;
 
@@ -1505,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
 		return -ENOMEM;
 	if (tmp.num_counters == 0)
 		return -EINVAL;
+	if ((u64)len < (u64)tmp.size + sizeof(tmp))
+		return -EINVAL;
 
 	tmp.name[sizeof(tmp.name)-1] = 0;
 
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index d013395be05fc..df7cd3d285e4f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1137,6 +1137,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
 		return -ENOMEM;
 	if (tmp.num_counters == 0)
 		return -EINVAL;
+	if ((u64)len < (u64)tmp.size + sizeof(tmp))
+		return -EINVAL;
 
 	tmp.name[sizeof(tmp.name)-1] = 0;
 
@@ -1515,6 +1517,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
 		return -ENOMEM;
 	if (tmp.num_counters == 0)
 		return -EINVAL;
+	if ((u64)len < (u64)tmp.size + sizeof(tmp))
+		return -EINVAL;
 
 	tmp.name[sizeof(tmp.name)-1] = 0;
 
-- 
2.43.0
Commit	Line	Data
7f87a3cd SL	1	From c45826228a42a4b51d8ec1e29bc6e4d8f099ff71 Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sashal@kernel.org>
	3	Date: Tue, 9 Apr 2024 12:07:41 +0000
	4	Subject: netfilter: complete validation of user input
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8	[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]
	9
	10	In my recent commit, I missed that do_replace() handlers
	11	use copy_from_sockptr() (which I fixed), followed
	12	by unsafe copy_from_sockptr_offset() calls.
	13
	14	In all functions, we can perform the @optlen validation
	15	before even calling xt_alloc_table_info() with the following
	16	check:
	17
	18	if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
	19	return -EINVAL;
	20
	21	Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
	22	Reported-by: syzbot <syzkaller@googlegroups.com>
	23	Signed-off-by: Eric Dumazet <edumazet@google.com>
	24	Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
	25	Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
	26	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
	27	Signed-off-by: Sasha Levin <sashal@kernel.org>
	28	---
	29	net/ipv4/netfilter/arp_tables.c \| 4 ++++
	30	net/ipv4/netfilter/ip_tables.c \| 4 ++++
	31	net/ipv6/netfilter/ip6_tables.c \| 4 ++++
	32	3 files changed, 12 insertions(+)
	33
	34	diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
	35	index 48c6aa3d91ae8..5823e89b8a734 100644
	36	--- a/net/ipv4/netfilter/arp_tables.c
	37	+++ b/net/ipv4/netfilter/arp_tables.c
	38	@@ -965,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len)
	39	return -ENOMEM;
	40	if (tmp.num_counters == 0)
	41	return -EINVAL;
	42	+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
	43	+ return -EINVAL;
	44
	45	tmp.name[sizeof(tmp.name)-1] = 0;
	46
	47	@@ -1265,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
	48	return -ENOMEM;
	49	if (tmp.num_counters == 0)
	50	return -EINVAL;
	51	+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
	52	+ return -EINVAL;
	53
	54	tmp.name[sizeof(tmp.name)-1] = 0;
	55
	56	diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
	57	index b46d58b9f3fe4..22e9ff592cd75 100644
	58	--- a/net/ipv4/netfilter/ip_tables.c
	59	+++ b/net/ipv4/netfilter/ip_tables.c
	60	@@ -1119,6 +1119,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
	61	return -ENOMEM;
	62	if (tmp.num_counters == 0)
	63	return -EINVAL;
	64	+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
65	+ return -EINVAL;
66
67	tmp.name[sizeof(tmp.name)-1] = 0;
68
69	@@ -1505,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
70	return -ENOMEM;
71	if (tmp.num_counters == 0)
72	return -EINVAL;
73	+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
74	+ return -EINVAL;
75
76	tmp.name[sizeof(tmp.name)-1] = 0;
77
78	diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
79	index d013395be05fc..df7cd3d285e4f 100644
80	--- a/net/ipv6/netfilter/ip6_tables.c
81	+++ b/net/ipv6/netfilter/ip6_tables.c
82	@@ -1137,6 +1137,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
83	return -ENOMEM;
84	if (tmp.num_counters == 0)
85	return -EINVAL;
86	+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
87	+ return -EINVAL;
88
89	tmp.name[sizeof(tmp.name)-1] = 0;
90
91	@@ -1515,6 +1517,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
92	return -ENOMEM;
93	if (tmp.num_counters == 0)
94	return -EINVAL;
95	+ if ((u64)len < (u64)tmp.size + sizeof(tmp))
96	+ return -EINVAL;
97
98	tmp.name[sizeof(tmp.name)-1] = 0;
99
100	--
101	2.43.0
102