From c8dd6dd3ce75f747da54776c6168372a5cec9a68 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 12 Oct 2018 09:36:26 +0200 Subject: netfilter: CVE-2018-1065 netfilter: add back stackpointer size checks References: https://github.com/torvalds/linux/commit/57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Change-Id: I5ee1c9b8036563602332c41163740dbc90a294fd Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 + ...tfilter-add-back-stackpointer-size-checks.patch | 88 ++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 96b6bcd..fd6f5c7 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -1,3 +1,6 @@ #CVEs fixed in 4.9.82: patch CVE-2017-18344-posix-timer-Properly-check-sigevent-sigev_notify.patch patch CVE-2017-8824-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch + +#CVEs fixed in 4.9.88: +patch CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch diff --git a/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch new file mode 100644 index 0000000..5dc21e3 --- /dev/null +++ b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch @@ -0,0 +1,88 @@ +From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 7 Feb 2018 13:46:25 +0100 +Subject: [PATCH] netfilter: add back stackpointer size checks + +The rationale for removing the check is only correct for rulesets +generated by ip(6)tables. + +In iptables, a jump can only occur to a user-defined chain, i.e. +because we size the stack based on number of user-defined chains we +cannot exceed stack size. + +However, the underlying binary format has no such restriction, +and the validation step only ensures that the jump target is a +valid rule start point. + +IOW, its possible to build a rule blob that has no user-defined +chains but does contain a jump. + +If this happens, no jump stack gets allocated and crash occurs +because no jumpstack was allocated. + +CVE: CVE-2018-1065 +Upstream-Status: Backport + +Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") +Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Andreas Wellving +--- + net/ipv4/netfilter/arp_tables.c | 4 ++++ + net/ipv4/netfilter/ip_tables.c | 7 ++++++- + net/ipv6/netfilter/ip6_tables.c | 4 ++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 4ffe302..e3e420f 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, + } + if (table_base + v + != arpt_next_entry(e)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; + } + +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 9a71f31..e38395a 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb, + continue; + } + if (table_base + v != ipt_next_entry(e) && +- !(e->ip.flags & IPT_F_GOTO)) ++ !(e->ip.flags & IPT_F_GOTO)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; ++ } + + e = get_entry(table_base, v); + continue; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index af4c917..62358b9 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb, + } + if (table_base + v != ip6t_next_entry(e) && + !(e->ipv6.flags & IP6T_F_GOTO)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; + } + +-- + + -- cgit v1.2.3-54-g00ecf