From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 Oct 2018 15:07:17 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.124~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ff2a48e4b572bcf73c572e14f712eb70e62784a;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	ebtables-arpreply-add-the-standard-target-sanity-check.patch
---

diff --git a/queue-3.18/ebtables-arpreply-add-the-standard-target-sanity-check.patch b/queue-3.18/ebtables-arpreply-add-the-standard-target-sanity-check.patch
new file mode 100644
index 00000000000..74e96bc8bd2
--- /dev/null
+++ b/queue-3.18/ebtables-arpreply-add-the-standard-target-sanity-check.patch
@@ -0,0 +1,55 @@
+From c953d63548207a085abcb12a15fefc8a11ffdf0a Mon Sep 17 00:00:00 2001
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Tue, 16 May 2017 09:30:18 +0800
+Subject: ebtables: arpreply: Add the standard target sanity check
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream.
+
+The info->target comes from userspace and it would be used directly.
+So we need to add the sanity check to make sure it is a valid standard
+target, although the ebtables tool has already checked it. Kernel needs
+to validate anything coming from userspace.
+
+If the target is set as an evil value, it would break the ebtables
+and cause a panic. Because the non-standard target is treated as one
+offset.
+
+Now add one helper function ebt_invalid_target, and we would replace
+the macro INVALID_TARGET later.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Loic <hackurx@opensec.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter_bridge/ebtables.h |    5 +++++
+ net/bridge/netfilter/ebt_arpreply.c       |    3 +++
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/netfilter_bridge/ebtables.h
++++ b/include/linux/netfilter_bridge/ebtables.h
+@@ -124,4 +124,9 @@ extern unsigned int ebt_do_table(unsigne
+ /* True if the target is not a standard target */
+ #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
+ 
++static inline bool ebt_invalid_target(int target)
++{
++	return (target < -NUM_STANDARD_TARGETS || target >= 0);
++}
++
+ #endif
+--- a/net/bridge/netfilter/ebt_arpreply.c
++++ b/net/bridge/netfilter/ebt_arpreply.c
+@@ -67,6 +67,9 @@ static int ebt_arpreply_tg_check(const s
+ 	if (e->ethproto != htons(ETH_P_ARP) ||
+ 	    e->invflags & EBT_IPROTO)
+ 		return -EINVAL;
++	if (ebt_invalid_target(info->target))
++		return -EINVAL;
++
+ 	return 0;
+ }
+ 
diff --git a/queue-3.18/series b/queue-3.18/series
index c3444944f1e..63be09d6c2d 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -117,3 +117,4 @@ jbd2-don-t-mark-block-as-modified-if-the-handle-is-out-of-credits.patch
 ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch
 cgroup-fix-deadlock-in-cpu-hotplug-path.patch
 ubifs-check-for-name-being-null-while-mounting.patch
+ebtables-arpreply-add-the-standard-target-sanity-check.patch