From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 15 Jan 2023 14:13:56 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.14.303~58
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a03bc6988c6b6c515daf14095e33d2b1effffe54;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
---

diff --git a/queue-4.14/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch b/queue-4.14/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
new file mode 100644
index 00000000000..5a368db6d44
--- /dev/null
+++ b/queue-4.14/netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch
@@ -0,0 +1,41 @@
+From 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Wed, 11 Jan 2023 11:57:39 +0000
+Subject: netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream.
+
+When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
+an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
+to overflow due to a failure casting operands to a larger data type
+before performing the arithmetic.
+
+Note that it's harmless since the value will be checked at the next step.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
+Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ip.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -301,8 +301,8 @@ bitmap_ip_create(struct net *net, struct
+ 			return -IPSET_ERR_BITMAP_RANGE;
+ 
+ 		pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
+-		hosts = 2 << (32 - netmask - 1);
+-		elements = 2 << (netmask - mask_bits - 1);
++		hosts = 2U << (32 - netmask - 1);
++		elements = 2UL << (netmask - mask_bits - 1);
+ 	}
+ 	if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+ 		return -IPSET_ERR_BITMAP_RANGE_SIZE;
diff --git a/queue-4.14/series b/queue-4.14/series
index 92fed630d38..88785cd89c0 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -329,3 +329,4 @@ net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch
 alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch
 platform-x86-sony-laptop-don-t-turn-off-0x153-keyboard-backlight-during-probe.patch
 ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch
+netfilter-ipset-fix-overflow-before-widen-in-the-bitmap_ip_create-function.patch