releases/3.4.25/inet_diag-validate-port-comparison-byte-code-to-prevent-unsafe-reads.patch

   1 From 62a341ad68bffed2aee85512b1c2b84c812e4868 Mon Sep 17 00:00:00 2001
   2 From: Neal Cardwell <ncardwell@google.com>
   3 Date: Sun, 9 Dec 2012 11:09:54 +0000
   4 Subject: inet_diag: validate port comparison byte code to prevent unsafe reads
   5
   6
   7 From: Neal Cardwell <ncardwell@google.com>
   8
   9 [ Upstream commit 5e1f54201cb481f40a04bc47e1bc8c093a189e23 ]
  10
  11 Add logic to verify that a port comparison byte code operation
  12 actually has the second inet_diag_bc_op from which we read the port
  13 for such operations.
  14
  15 Previously the code blindly referenced op[1] without first checking
  16 whether a second inet_diag_bc_op struct could fit there. So a
  17 malicious user could make the kernel read 4 bytes beyond the end of
  18 the bytecode array by claiming to have a whole port comparison byte
  19 code (2 inet_diag_bc_op structs) when in fact the bytecode was not
  20 long enough to hold both.
  21
  22 Signed-off-by: Neal Cardwell <ncardwell@google.com>
  23 Signed-off-by: David S. Miller <davem@davemloft.net>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25 ---
  26  net/ipv4/inet_diag.c |   31 ++++++++++++++++++++++++-------
  27  1 file changed, 24 insertions(+), 7 deletions(-)
  28
  29 --- a/net/ipv4/inet_diag.c
  30 +++ b/net/ipv4/inet_diag.c
  31 @@ -548,6 +548,17 @@ static bool valid_hostcond(const struct
  32         return true;
  33  }
  34
  35 +/* Validate a port comparison operator. */
  36 +static inline bool valid_port_comparison(const struct inet_diag_bc_op *op,
  37 +                                        int len, int *min_len)
  38 +{
  39 +       /* Port comparisons put the port in a follow-on inet_diag_bc_op. */
  40 +       *min_len += sizeof(struct inet_diag_bc_op);
  41 +       if (len < *min_len)
  42 +               return false;
  43 +       return true;
  44 +}
  45 +
  46  static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
  47  {
  48         const void *bc = bytecode;
  49 @@ -563,24 +574,30 @@ static int inet_diag_bc_audit(const void
  50                 case INET_DIAG_BC_D_COND:
  51                         if (!valid_hostcond(bc, len, &min_len))
  52                                 return -EINVAL;
  53 -                       /* fall through */
  54 -               case INET_DIAG_BC_AUTO:
  55 +                       break;
  56                 case INET_DIAG_BC_S_GE:
  57                 case INET_DIAG_BC_S_LE:
  58                 case INET_DIAG_BC_D_GE:
  59                 case INET_DIAG_BC_D_LE:
  60 -               case INET_DIAG_BC_JMP:
  61 -                       if (op->no < min_len || op->no > len + 4 || op->no & 3)
  62 -                               return -EINVAL;
  63 -                       if (op->no < len &&
  64 -                           !valid_cc(bytecode, bytecode_len, len - op->no))
  65 +                       if (!valid_port_comparison(bc, len, &min_len))
  66                                 return -EINVAL;
  67                         break;
  68 +               case INET_DIAG_BC_AUTO:
  69 +               case INET_DIAG_BC_JMP:
  70                 case INET_DIAG_BC_NOP:
  71                         break;
  72                 default:
  73                         return -EINVAL;
  74                 }
  75 +
  76 +               if (op->code != INET_DIAG_BC_NOP) {
  77 +                       if (op->no < min_len || op->no > len + 4 || op->no & 3)
  78 +                               return -EINVAL;
  79 +                       if (op->no < len &&
  80 +                           !valid_cc(bytecode, bytecode_len, len - op->no))
  81 +                               return -EINVAL;
  82 +               }
  83 +
  84                 if (op->yes < min_len || op->yes > len + 4 || op->yes & 3)
  85                         return -EINVAL;
  86                 bc  += op->yes;