From 8fcc60e5208dbcf4a2ed3ad04cb0397869befb3b Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 12 Oct 2018 09:38:58 +0200 Subject: netfilter: CVE-2018-1068 netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b71812168571fa55e44cdd0254471331b9c4c4c6 Change-Id: I4b658659993380dc9a3aeee4620061ac0e9d5a63 Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 1 + ...btables-CONFIG_COMPAT-don-t-trust-userlan.patch | 62 ++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index fd6f5c7..51591c7 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -4,3 +4,4 @@ patch CVE-2017-8824-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch #CVEs fixed in 4.9.88: patch CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch +patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch diff --git a/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch new file mode 100644 index 0000000..7723764 --- /dev/null +++ b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch @@ -0,0 +1,62 @@ +From b71812168571fa55e44cdd0254471331b9c4c4c6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 19 Feb 2018 01:24:15 +0100 +Subject: [PATCH] netfilter: ebtables: CONFIG_COMPAT: don't trust userland + offsets + +We need to make sure the offsets are not out of range of the +total size. +Also check that they are in ascending order. + +The WARN_ON triggered by syzkaller (it sets panic_on_warn) is +changed to also bail out, no point in continuing parsing. + +Briefly tested with simple ruleset of +-A INPUT --limit 1/s' --log +plus jump to custom chains using 32bit ebtables binary. + +CVE: CVE-2018-1068 +Upstream-Status: Backport + +Reported-by: +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Andreas Wellving +--- + net/bridge/netfilter/ebtables.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 61f8787..254ef9f 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2060,7 +2060,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, + if (match_kern) + match_kern->match_size = ret; + +- WARN_ON(type == EBT_COMPAT_TARGET && size_left); ++ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ return -EINVAL; ++ + match32 = (struct compat_ebt_entry_mwt *) buf; + } + +@@ -2116,6 +2118,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, + * + * offsets are relative to beginning of struct ebt_entry (i.e., 0). + */ ++ for (i = 0; i < 4 ; ++i) { ++ if (offsets[i] >= *total) ++ return -EINVAL; ++ if (i == 0) ++ continue; ++ if (offsets[i-1] > offsets[i]) ++ return -EINVAL; ++ } ++ + for (i = 0, j = 1 ; j < 4 ; j++, i++) { + struct compat_ebt_entry_mwt *match32; + unsigned int size; +-- + + -- cgit v1.2.3-54-g00ecf