korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-11 12:28:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
c3adcc7dfb
linux/net/bridge
History
Florian Westphal 5c04da55c7 netfilter: ebtables: reject bogus getopt len value 
syzkaller reports splat:
------------[ cut here ]------------
Buffer overflow detected (80 < 137)!
Call Trace:
 do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
 nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
 ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]

caused by a copy-to-user with a too-large "*len" value.
This adds a argument check on *len just like in the non-compat version
of the handler.

Before the "Fixes" commit, the reproducer fails with -EINVAL as
expected:
1. core calls the "compat" getsockopt version
2. compat getsockopt version detects the *len value is possibly
   in 64-bit layout (*len != compat_len)
3. compat getsockopt version delegates everything to native getsockopt
   version
4. native getsockopt rejects invalid *len

-> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.

After the refactor, event sequence is:
1. getsockopt calls "compat" version (len != native_len)
2. compat version attempts to copy *len bytes, where *len is random
   value from userspace

Fixes: fc66de8e16 ("netfilter/ebtables: clean up compat {get, set}sockopt handling")
Reported-by: syzbot+5accb5c62faa1d346480@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-08-14 11:59:08 +02:00
..
netfilter netfilter: ebtables: reject bogus getopt len value 2020-08-14 11:59:08 +02:00
br_arp_nd_proxy.c bridge: Avoid infinite loop when suppressing NS messages with invalid options 2020-06-01 11:08:41 -07:00
br_device.c net: bridge: clear bridge's private skb space on xmit 2020-08-03 15:26:46 -07:00
br_fdb.c net: bridge: add a flag to avoid refreshing fdb when changing/adding 2020-06-24 14:36:33 -07:00
br_forward.c net: bridge: check port state before br_allowed_egress 2020-01-24 12:58:14 +01:00
br_if.c net: bridge: allow enslaving some DSA master network devices 2020-05-10 19:52:33 -07:00
br_input.c net: bridge: allow enslaving some DSA master network devices 2020-05-10 19:52:33 -07:00
br_ioctl.c net: bridge: Add checks for enabling the STP. 2020-04-27 11:40:25 -07:00
br_mdb.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-09-15 14:17:27 +02:00
br_mrp_netlink.c bridge: mrp: Extend br_mrp_fill_info 2020-07-14 13:46:43 -07:00
br_mrp_switchdev.c bridge: switchdev: mrp: Extend MRP API for switchdev for MRP Interconnect 2020-07-14 13:46:43 -07:00
br_mrp.c bridge: mrp: Implement the MRP Interconnect API 2020-07-14 13:46:43 -07:00
br_multicast.c bridge: mcast: Fix MLD2 Report IPv6 payload length check 2020-07-07 15:37:57 -07:00
br_netfilter_hooks.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
br_netfilter_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-06-25 01:32:59 +02:00
br_netlink_tunnel.c net: bridge: notify on vlan tunnel changes done via the old api 2020-07-12 15:18:24 -07:00
br_netlink.c net: bridge: Add port attribute IFLA_BRPORT_MRP_IN_OPEN 2020-07-14 13:46:43 -07:00
br_nf_core.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
br_private_mrp.h bridge: mrp: Implement the MRP Interconnect API 2020-07-14 13:46:43 -07:00
br_private_stp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_private_tunnel.h net: bridge: vlan options: add support for tunnel mapping set/del 2020-03-17 22:47:12 -07:00
br_private.h net: bridge: fix undefined br_vlan_can_enter_range in tunnel code 2020-07-13 11:22:55 -07:00
br_stp_bpdu.c net: bridge: add STP xstats 2019-12-14 20:02:36 -08:00
br_stp_if.c net: remove newlines in NL_SET_ERR_MSG_MOD 2020-05-07 17:56:14 -07:00
br_stp_timer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_stp.c net: bridge: Add checks for enabling the STP. 2020-04-27 11:40:25 -07:00
br_switchdev.c net: bridge: fdb: convert offloaded to use bitops 2019-10-29 18:12:49 -07:00
br_sysfs_br.c net: bridge: Add checks for enabling the STP. 2020-04-27 11:40:25 -07:00
br_sysfs_if.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_vlan_options.c net: bridge: vlan options: move the tunnel command to the nested attribute 2020-03-20 08:52:20 -07:00
br_vlan_tunnel.c net: bridge: vlan tunnel: constify bridge and port arguments 2020-03-17 22:47:12 -07:00
br_vlan.c net: bridge: vlan options: nest the tunnel id into a tunnel info attribute 2020-03-20 08:52:20 -07:00
br.c treewide: Use sizeof_field() macro 2019-12-09 10:36:44 -08:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile bridge: mrp: Connect MRP API with the switchdev API 2020-04-27 11:40:25 -07:00