[4.9,144/165] netfilter: xt_bpf: add overflow checks

Message ID	20200227132251.928547530@linuxfoundation.org
State	New
Headers	show Return-Path: <SRS0=mLYK=4P=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Jann Horn <jannh@google.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Zubin Mithra <zsm@chromium.org>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 4.9 144/165] netfilter: xt_bpf: add overflow checks Date: Thu, 27 Feb 2020 14:36:58 +0100 Message-Id: <20200227132251.928547530@linuxfoundation.org> In-Reply-To: <20200227132230.840899170@linuxfoundation.org> References: <20200227132230.840899170@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.9,002/165] KVM: x86: emulate RDPID [4.9,003/165] ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs [4.9,004/165] ecryptfs: fix a memory leak bug in parse_tag_1_packet() [4.9,006/165] ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 [4.9,007/165] ext4: dont assume that mmp_nodename/bdevname have NUL [4.9,010/165] Btrfs: fix race between using extent maps and merging them [4.9,011/165] btrfs: log message when rw remount is attempted with unclean tree-log [4.9,012/165] perf/x86/amd: Add missing L2 misses event spec to AMD Family 17hs event map [4.9,015/165] perf/x86/intel: Fix inaccurate period in context switch for auto-reload [4.9,016/165] hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions. [4.9,021/165] Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs" [4.9,022/165] drm/gma500: Fixup fbdev stolen size usage evaluation [4.9,024/165] brcmfmac: Fix use after free in brcmf_sdio_readframes() [4.9,025/165] gianfar: Fix TX timestamping with a stacked DSA driver [4.9,027/165] pxa168fb: Fix the function used to release some memory in an error handling path [4.9,029/165] powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number [4.9,030/165] gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap() [4.9,033/165] efi/x86: Map the entire EFI vendor string before copying it [4.9,035/165] sparc: Add .exit.data section. [4.9,037/165] usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() [4.9,039/165] x86/sysfb: Fix check for bad VRAM size [4.9,042/165] ext4, jbd2: ensure panic when aborting with zero errno [4.9,044/165] clk: qcom: rcg2: Dont crash if our parent cant be found; return an error [4.9,046/165] regulator: rk808: Lower log level on optional GPIOs being not available [4.9,048/165] PCI/IOV: Fix memory leak in pci_iov_add_virtfn() [4.9,051/165] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling [4.9,053/165] b43legacy: Fix -Wcast-function-type [4.9,054/165] ipw2x00: Fix -Wcast-function-type [4.9,057/165] orinoco: avoid assertion in case of NULL pointer [4.9,058/165] ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 [4.9,062/165] x86/vdso: Provide missing include file [4.9,063/165] PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency [4.9,065/165] RDMA/rxe: Fix error type of mmap_offset [4.9,067/165] tools lib api fs: Fix gcc9 stringop-truncation compilation error [4.9,070/165] soc/tegra: fuse: Correct straps address for older Tegra124 device trees [4.9,071/165] rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls [4.9,072/165] Input: edt-ft5x06 - work around first register access error [4.9,074/165] ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m [4.9,076/165] tty: synclink_gt: Adjust indentation in several functions [4.9,078/165] driver core: Print device when resources present in really_probe() [4.9,081/165] drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler [4.9,083/165] usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue [4.9,086/165] arm64: fix alternatives with LLVMs integrated assembler [4.9,087/165] pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional [4.9,088/165] cmd64x: potential buffer overflow in cmd64x_program_timings() [4.9,089/165] ide: serverworks: potential overflow in svwks_set_pio_mode() [4.9,090/165] remoteproc: Initialize rproc_class before use [4.9,093/165] driver core: platform: fix u32 greater or equal to zero comparison [4.9,094/165] ALSA: hda - Add docking station support for Lenovo Thinkpad T420s [4.9,097/165] ARM: 8951/1: Fix Kexec compilation issue. [4.9,098/165] hostap: Adjust indentation in prism2_hostapd_add_sta [4.9,101/165] irqchip/gic-v3: Only provision redistributors that are enabled in ACPI [4.9,102/165] drm/nouveau/disp/nv50-: prevent oops when no channel method map provided [4.9,105/165] radeon: insert 10ms sleep in dce5_crtc_load_lut [4.9,107/165] lib/scatterlist.c: adjust indentation in __sg_alloc_table [4.9,109/165] bcache: explicity type cast in bset_bkey_last() [4.9,111/165] iwlwifi: mvm: Fix thermal zone registration [4.9,114/165] help_next should increase position index [4.9,116/165] enic: prevent waking up stopped tx queues over watchdog reset [4.9,119/165] floppy: check FDC index for errors before assigning it [4.9,120/165] vt: selection, handle pending signals in paste_selection [4.9,122/165] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi. [4.9,125/165] USB: Fix novation SourceControl XL after suspend [4.9,129/165] x86/mce/amd: Publish the bank pointer only after setup has succeeded [4.9,132/165] tty: serial: imx: setup the correct sg entry for tx dma [4.9,133/165] Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" [4.9,135/165] KVM: x86: dont notify userspace IOAPIC on edge-triggered interrupt EOI [4.9,136/165] VT_RESIZEX: get rid of field-by-field copyin [4.9,138/165] powerpc/tm: P9 disable transactionally suspended sigcontexts [4.9,141/165] lib/stackdepot: Fix outdated comments [4.9,143/165] KVM: nVMX: Dont emulate instructions in guest mode [4.9,144/165] netfilter: xt_bpf: add overflow checks [4.9,146/165] ext4: add cond_resched() to __ext4_find_entry() [4.9,147/165] ext4: fix mount failure with quota configured as module [4.9,150/165] KVM: nVMX: Refactor IO bitmap checks into helper function [4.9,152/165] KVM: apic: avoid calculating pending eoi from an uninitialized val [4.9,153/165] Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents [4.9,155/165] scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" [4.9,156/165] usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus [4.9,159/165] ALSA: rawmidi: Avoid bit fields for state flags [4.9,161/165] ALSA: seq: Fix concurrent access to queue current tick/time [4.9,162/165] netfilter: xt_hashlimit: limit the max size of hashtable [4.9,165/165] s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range

Message ID

20200227132251.928547530@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Jann Horn <jannh@google.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>, Zubin Mithra <zsm@chromium.org>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 144/165] netfilter: xt_bpf: add overflow checks
Date: Thu, 27 Feb 2020 14:36:58 +0100
Message-Id: <20200227132251.928547530@linuxfoundation.org>
In-Reply-To: <20200227132230.840899170@linuxfoundation.org>
References: <20200227132230.840899170@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman Feb. 27, 2020, 1:36 p.m. UTC

From: Jann Horn <jannh@google.com>

[ Upstream commit 6ab405114b0b229151ef06f4e31c7834dd09d0c0 ]

Check whether inputs from userspace are too long (explicit length field too
big or string not null-terminated) to avoid out-of-bounds reads.

As far as I can tell, this can at worst lead to very limited kernel heap
memory disclosure or oopses.

This bug can be triggered by an unprivileged user even if the xt_bpf module
is not loaded: iptables is available in network namespaces, and the xt_bpf
module can be autoloaded.

Triggering the bug with a classic BPF filter with fake length 0x1000 causes
the following KASAN report:

==================================================================
BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0
Read of size 32768 at addr ffff8801eff2c494 by task test/4627

CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1
[...]
Call Trace:
 dump_stack+0x5c/0x85
 print_address_description+0x6a/0x260
 kasan_report+0x254/0x370
 ? bpf_prog_create+0x84/0xf0
 memcpy+0x1f/0x50
 bpf_prog_create+0x84/0xf0
 bpf_mt_check+0x90/0xd6 [xt_bpf]
[...]
Allocated by task 4627:
 kasan_kmalloc+0xa0/0xd0
 __kmalloc_node+0x47/0x60
 xt_alloc_table_info+0x41/0x70 [x_tables]
[...]
The buggy address belongs to the object at ffff8801eff2c3c0
                which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 212 bytes inside of
                2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0)
[...]
==================================================================

Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/xt_bpf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index dffee9d47ec4b..7b993f25aab92 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -25,6 +25,9 @@  static int bpf_mt_check(const struct xt_mtchk_param *par)
 	struct xt_bpf_info *info = par->matchinfo;
 	struct sock_fprog_kern program;
 
+	if (info->bpf_program_num_elem > XT_BPF_MAX_NUM_INSTR)
+		return -EINVAL;
+
 	program.len = info->bpf_program_num_elem;
 	program.filter = info->bpf_program;

[4.9,144/165] netfilter: xt_bpf: add overflow checks

Commit Message

Patch