netfilter: CVE-2018-1068

netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=1829a59ba6e8fa6467ea4607cf086b5e2d8d6426 Change-Id: If0e3aa0ed5800fcb02573200fba95d8a9c438914 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 15:30:27 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-25 13:25:19 +0200
commit: 5c82e974204fec2340cd7d24a54a15118fe0f4f9 (patch)
tree: 5051b782309b2cdf31174f7a3003f799bbf75824
parent: ac8dc20157f32d100cda9f7bb5d73eeea67fd0a1 (diff)
download: enea-kernel-cache-5c82e974204fec2340cd7d24a54a15118fe0f4f9.tar.gz
2 files changed, 67 insertions, 2 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 3d8e1ae..f0ed6a8 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -35,6 +35,6 @@ patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
 patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch
 patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
+#fixed in 4.1.51
+patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
diff --git a/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
new file mode 100644
index 0000000..28a21de
--- /dev/null
+++ b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
@@ -0,0 +1,65 @@
+From 1829a59ba6e8fa6467ea4607cf086b5e2d8d6426 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 01:24:15 +0100
+Subject: [PATCH] netfilter: ebtables: CONFIG_COMPAT: don't trust userland
+ offsets
+[ Upstream commit b71812168571fa55e44cdd0254471331b9c4c4c6 ]
+We need to make sure the offsets are not out of range of the
+total size.
+Also check that they are in ascending order.
+The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
+changed to also bail out, no point in continuing parsing.
+Briefly tested with simple ruleset of
+-A INPUT --limit 1/s' --log
+plus jump to custom chains using 32bit ebtables binary.
+CVE: CVE-2018-1068  
+Upstream-Status: Backport  
+Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 91180a7..3069eaf 100644
+--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
+@@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
+                if (match_kern)
+                        match_kern->match_size = ret;
+ 
+-               WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+               if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+                       return -EINVAL;
+
+                match32 = (struct compat_ebt_entry_mwt *) buf;
+        }
+ 
+@@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
+         *
+         * offsets are relative to beginning of struct ebt_entry (i.e., 0).
+         */
+       for (i = 0; i < 4 ; ++i) {
+               if (offsets[i] >= *total)
+                       return -EINVAL;
+               if (i == 0)
+                       continue;
+               if (offsets[i-1] > offsets[i])
+                       return -EINVAL;
+       }
+
+        for (i = 0, j = 1 ; j < 4 ; j++, i++) {
+                struct compat_ebt_entry_mwt *match32;
+                unsigned int size;
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 15:30:27 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-25 13:25:19 +0200
commit	5c82e974204fec2340cd7d24a54a15118fe0f4f9 (patch)
tree	5051b782309b2cdf31174f7a3003f799bbf75824
parent	ac8dc20157f32d100cda9f7bb5d73eeea67fd0a1 (diff)
download	enea-kernel-cache-5c82e974204fec2340cd7d24a54a15118fe0f4f9.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 3d8e1ae..f0ed6a8 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -35,6 +35,6 @@ patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
35	patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch	35	patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch
36	patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch	36	patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
37		37
38		38	#fixed in 4.1.51
39		39	patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
40		40


diff --git a/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch new file mode 100644 index 0000000..28a21de --- /dev/null +++ b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
@@ -0,0 +1,65 @@
		1	From 1829a59ba6e8fa6467ea4607cf086b5e2d8d6426 Mon Sep 17 00:00:00 2001
		2	From: Florian Westphal <fw@strlen.de>
		3	Date: Mon, 19 Feb 2018 01:24:15 +0100
		4	Subject: [PATCH] netfilter: ebtables: CONFIG_COMPAT: don't trust userland
		5	offsets
		6
		7	[ Upstream commit b71812168571fa55e44cdd0254471331b9c4c4c6 ]
		8
		9	We need to make sure the offsets are not out of range of the
		10	total size.
		11	Also check that they are in ascending order.
		12
		13	The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
		14	changed to also bail out, no point in continuing parsing.
		15
		16	Briefly tested with simple ruleset of
		17	-A INPUT --limit 1/s' --log
		18	plus jump to custom chains using 32bit ebtables binary.
		19
		20	CVE: CVE-2018-1068
		21	Upstream-Status: Backport
		22
		23	Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
		24	Signed-off-by: Florian Westphal <fw@strlen.de>
		25	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
		26	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
		27	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		28	---
		29	net/bridge/netfilter/ebtables.c \| 13 ++++++++++++-
		30	1 file changed, 12 insertions(+), 1 deletion(-)
		31
		32	diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
		33	index 91180a7..3069eaf 100644
		34	--- a/net/bridge/netfilter/ebtables.c
		35	+++ b/net/bridge/netfilter/ebtables.c
		36	@@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
		37	if (match_kern)
		38	match_kern->match_size = ret;
		39
		40	- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
		41	+ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
		42	+ return -EINVAL;
		43	+
		44	match32 = (struct compat_ebt_entry_mwt *) buf;
		45	}
		46
		47	@@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry entry, const unsigned char base,
		48	*
		49	* offsets are relative to beginning of struct ebt_entry (i.e., 0).
		50	*/
		51	+ for (i = 0; i < 4 ; ++i) {
		52	+ if (offsets[i] >= *total)
		53	+ return -EINVAL;
		54	+ if (i == 0)
		55	+ continue;
		56	+ if (offsets[i-1] > offsets[i])
		57	+ return -EINVAL;
		58	+ }
		59	+
		60	for (i = 0, j = 1 ; j < 4 ; j++, i++) {
		61	struct compat_ebt_entry_mwt *match32;
		62	unsigned int size;
		63	--
		64	2.7.4
		65