Message ID | 20150519231120.GA1761@codemonkey.org.uk |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
Dave Jones <davej@codemonkey.org.uk> wrote: > After improving setsockopt() coverage in trinity, I started triggering > vmalloc failures pretty reliably from this code path: > > warn_alloc_failed+0xe9/0x140 > __vmalloc_node_range+0x1be/0x270 > vzalloc+0x4b/0x50 > __do_replace+0x52/0x260 [ip_tables] > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] > nf_setsockopt+0x65/0x90 > ip_setsockopt+0x61/0xa0 > raw_setsockopt+0x16/0x60 > sock_common_setsockopt+0x14/0x20 > SyS_setsockopt+0x71/0xd0 > > It turns out we don't validate that the num_counters field in the > struct we pass in from userspace is initialized. > > Signed-off-by: Dave Jones <davej@codemonkey.org.uk> > > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c > index c69db7fa25ee..12a33d178614 100644 > --- a/net/ipv4/netfilter/ip_tables.c > +++ b/net/ipv4/netfilter/ip_tables.c > @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) > /* overflow check */ > if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) > return -ENOMEM; > + if (tmp.num_counters == 0) > + return -EINVAL; > + Good catch. Due to iptables wonderful copy-paste programming model, this also needs fixing in compat_do_replace, ip6tables, arbtables and ebtables (8 different places, ick). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, May 20, 2015 at 01:19:50AM +0200, Florian Westphal wrote: > Dave Jones <davej@codemonkey.org.uk> wrote: > > After improving setsockopt() coverage in trinity, I started triggering > > vmalloc failures pretty reliably from this code path: > > > > warn_alloc_failed+0xe9/0x140 > > __vmalloc_node_range+0x1be/0x270 > > vzalloc+0x4b/0x50 > > __do_replace+0x52/0x260 [ip_tables] > > do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] > > nf_setsockopt+0x65/0x90 > > ip_setsockopt+0x61/0xa0 > > raw_setsockopt+0x16/0x60 > > sock_common_setsockopt+0x14/0x20 > > SyS_setsockopt+0x71/0xd0 > > > > It turns out we don't validate that the num_counters field in the > > struct we pass in from userspace is initialized. > > > > Signed-off-by: Dave Jones <davej@codemonkey.org.uk> > > > > diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c > > index c69db7fa25ee..12a33d178614 100644 > > --- a/net/ipv4/netfilter/ip_tables.c > > +++ b/net/ipv4/netfilter/ip_tables.c > > @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) > > /* overflow check */ > > if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) > > return -ENOMEM; > > + if (tmp.num_counters == 0) > > + return -EINVAL; > > + > > Good catch. Due to iptables wonderful copy-paste programming model, > this also needs fixing in compat_do_replace, ip6tables, arbtables and > ebtables (8 different places, ick). ugh. ok, I'll fix them all up. What's the preferred format, 8 separate patches, or 1 all-in-one diff for all instances of this bug ? thanks, Dave -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Dave Jones <davej@codemonkey.org.uk> Date: Tue, 19 May 2015 19:42:52 -0400 > What's the preferred format, 8 separate patches, or 1 all-in-one > diff for all instances of this bug ? Personally, I think you could do this in one patch. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index c69db7fa25ee..12a33d178614 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len) /* overflow check */ if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters)) return -ENOMEM; + if (tmp.num_counters == 0) + return -EINVAL; + tmp.name[sizeof(tmp.name)-1] = 0; newinfo = xt_alloc_table_info(tmp.size);
After improving setsockopt() coverage in trinity, I started triggering vmalloc failures pretty reliably from this code path: warn_alloc_failed+0xe9/0x140 __vmalloc_node_range+0x1be/0x270 vzalloc+0x4b/0x50 __do_replace+0x52/0x260 [ip_tables] do_ipt_set_ctl+0x15d/0x1d0 [ip_tables] nf_setsockopt+0x65/0x90 ip_setsockopt+0x61/0xa0 raw_setsockopt+0x16/0x60 sock_common_setsockopt+0x14/0x20 SyS_setsockopt+0x71/0xd0 It turns out we don't validate that the num_counters field in the struct we pass in from userspace is initialized. Signed-off-by: Dave Jones <davej@codemonkey.org.uk> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html