[linux] 02/02: netfilter: ensure number of counters is >0 in do_replace()

Sat Jun 25 22:07:59 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 234044f64d2d17762e9779e292a96fb2869feceb
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jun 25 23:36:41 2016 +0200

    netfilter: ensure number of counters is >0 in do_replace()
---
 debian/changelog                                   |   1 +
 ...nsure-number-of-counters-is-0-in-do_repla.patch | 120 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 122 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8e40b87..84d713e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 linux (3.16.7-ckt25-2+deb8u2) UNRELEASED; urgency=medium
 
   * Fix backport of "netfilter: x_tables: validate targets of jumps"
+  * netfilter: ensure number of counters is >0 in do_replace()
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 25 Jun 2016 23:14:03 +0200
 
diff --git a/debian/patches/bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch b/debian/patches/bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
new file mode 100644
index 0000000..8d93acb
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
@@ -0,0 +1,120 @@
+From: Dave Jones <davej at codemonkey.org.uk>
+Date: Tue, 19 May 2015 20:55:17 -0400
+Subject: netfilter: ensure number of counters is >0 in do_replace()
+Origin: https://git.kernel.org/linus/1086bbe97a074844188c6c988fa0b1a98c3ccbb9
+
+After improving setsockopt() coverage in trinity, I started triggering
+vmalloc failures pretty reliably from this code path:
+
+warn_alloc_failed+0xe9/0x140
+__vmalloc_node_range+0x1be/0x270
+vzalloc+0x4b/0x50
+__do_replace+0x52/0x260 [ip_tables]
+do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
+nf_setsockopt+0x65/0x90
+ip_setsockopt+0x61/0xa0
+raw_setsockopt+0x16/0x60
+sock_common_setsockopt+0x14/0x20
+SyS_setsockopt+0x71/0xd0
+
+It turns out we don't validate that the num_counters field in the
+struct we pass in from userspace is initialized.
+
+The same problem also exists in ebtables, arptables, ipv6, and the
+compat variants.
+
+Signed-off-by: Dave Jones <davej at codemonkey.org.uk>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/bridge/netfilter/ebtables.c | 4 ++++
+ net/ipv4/netfilter/arp_tables.c | 6 ++++++
+ net/ipv4/netfilter/ip_tables.c  | 6 ++++++
+ net/ipv6/netfilter/ip6_tables.c | 6 ++++++
+ 4 files changed, 22 insertions(+)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1105,6 +1105,8 @@ static int do_replace(struct net *net, c
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
+ 
+ 	tmp.name[sizeof(tmp.name) - 1] = 0;
+ 
+@@ -2150,6 +2152,8 @@ static int compat_copy_ebt_replace_from_
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
+ 
+ 	memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
+ 
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1082,6 +1082,9 @@ static int do_replace(struct net *net, c
+ 	/* overflow check */
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
++
+ 	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+@@ -1392,6 +1395,9 @@ static int compat_do_replace(struct net
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
++
+ 	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1268,6 +1268,9 @@ do_replace(struct net *net, const void _
+ 	/* overflow check */
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
++
+ 	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+@@ -1669,6 +1672,9 @@ compat_do_replace(struct net *net, void
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
++
+ 	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1278,6 +1278,9 @@ do_replace(struct net *net, const void _
+ 	/* overflow check */
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
++
+ 	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
+@@ -1672,6 +1675,9 @@ compat_do_replace(struct net *net, void
+ 		return -ENOMEM;
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+ 		return -ENOMEM;
++	if (tmp.num_counters == 0)
++		return -EINVAL;
++
+ 	tmp.name[sizeof(tmp.name)-1] = 0;
+ 
+ 	newinfo = xt_alloc_table_info(tmp.size);
diff --git a/debian/patches/series b/debian/patches/series
index 6d2e9d2..2be4b88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -722,3 +722,4 @@ bugfix/all/netfilter-x_tables-introduce-and-use-xt_copy_counter.patch
 bugfix/all/posix_acl-Add-set_posix_acl.patch
 bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch
 debian/migrate-fix-abi-change-in-3.16.36.patch
+bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

