diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 15:30:27 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-25 13:25:19 +0200 |
commit | 5c82e974204fec2340cd7d24a54a15118fe0f4f9 (patch) | |
tree | 5051b782309b2cdf31174f7a3003f799bbf75824 | |
parent | ac8dc20157f32d100cda9f7bb5d73eeea67fd0a1 (diff) | |
download | enea-kernel-cache-5c82e974204fec2340cd7d24a54a15118fe0f4f9.tar.gz |
netfilter: CVE-2018-1068
netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=1829a59ba6e8fa6467ea4607cf086b5e2d8d6426
Change-Id: If0e3aa0ed5800fcb02573200fba95d8a9c438914
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 4 | ||||
-rw-r--r-- | patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch | 65 |
2 files changed, 67 insertions, 2 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 3d8e1ae..f0ed6a8 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -35,6 +35,6 @@ patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch | |||
35 | patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch | 35 | patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch |
36 | patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch | 36 | patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch |
37 | 37 | ||
38 | 38 | #fixed in 4.1.51 | |
39 | 39 | patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch | |
40 | 40 | ||
diff --git a/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch new file mode 100644 index 0000000..28a21de --- /dev/null +++ b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 1829a59ba6e8fa6467ea4607cf086b5e2d8d6426 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Westphal <fw@strlen.de> | ||
3 | Date: Mon, 19 Feb 2018 01:24:15 +0100 | ||
4 | Subject: [PATCH] netfilter: ebtables: CONFIG_COMPAT: don't trust userland | ||
5 | offsets | ||
6 | |||
7 | [ Upstream commit b71812168571fa55e44cdd0254471331b9c4c4c6 ] | ||
8 | |||
9 | We need to make sure the offsets are not out of range of the | ||
10 | total size. | ||
11 | Also check that they are in ascending order. | ||
12 | |||
13 | The WARN_ON triggered by syzkaller (it sets panic_on_warn) is | ||
14 | changed to also bail out, no point in continuing parsing. | ||
15 | |||
16 | Briefly tested with simple ruleset of | ||
17 | -A INPUT --limit 1/s' --log | ||
18 | plus jump to custom chains using 32bit ebtables binary. | ||
19 | |||
20 | CVE: CVE-2018-1068 | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> | ||
24 | Signed-off-by: Florian Westphal <fw@strlen.de> | ||
25 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||
26 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | ||
27 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
28 | --- | ||
29 | net/bridge/netfilter/ebtables.c | 13 ++++++++++++- | ||
30 | 1 file changed, 12 insertions(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c | ||
33 | index 91180a7..3069eaf 100644 | ||
34 | --- a/net/bridge/netfilter/ebtables.c | ||
35 | +++ b/net/bridge/netfilter/ebtables.c | ||
36 | @@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, | ||
37 | if (match_kern) | ||
38 | match_kern->match_size = ret; | ||
39 | |||
40 | - WARN_ON(type == EBT_COMPAT_TARGET && size_left); | ||
41 | + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) | ||
42 | + return -EINVAL; | ||
43 | + | ||
44 | match32 = (struct compat_ebt_entry_mwt *) buf; | ||
45 | } | ||
46 | |||
47 | @@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, | ||
48 | * | ||
49 | * offsets are relative to beginning of struct ebt_entry (i.e., 0). | ||
50 | */ | ||
51 | + for (i = 0; i < 4 ; ++i) { | ||
52 | + if (offsets[i] >= *total) | ||
53 | + return -EINVAL; | ||
54 | + if (i == 0) | ||
55 | + continue; | ||
56 | + if (offsets[i-1] > offsets[i]) | ||
57 | + return -EINVAL; | ||
58 | + } | ||
59 | + | ||
60 | for (i = 0, j = 1 ; j < 4 ; j++, i++) { | ||
61 | struct compat_ebt_entry_mwt *match32; | ||
62 | unsigned int size; | ||
63 | -- | ||
64 | 2.7.4 | ||
65 | |||