From patchwork Fri Dec 1 00:46:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 843279 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="n4roohNl"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ynwZ913qLz9sNr for ; Fri, 1 Dec 2017 11:46:25 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751801AbdLAAqW (ORCPT ); Thu, 30 Nov 2017 19:46:22 -0500 Received: from mail-qt0-f201.google.com ([209.85.216.201]:42072 "EHLO mail-qt0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751303AbdLAAqU (ORCPT ); Thu, 30 Nov 2017 19:46:20 -0500 Received: by mail-qt0-f201.google.com with SMTP id v30so5859319qtg.9 for ; Thu, 30 Nov 2017 16:46:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc; bh=DGbDZ0Ts3k8f9Yrdg7BMe2mWpqqUHd6n62Dz+bzq5jY=; b=n4roohNlSNx2YUjy94kLVN5FTz/FQqqMHRi0WfUvwJF/8MAz+vQZ0L1CKUe0sRvHmC aAen6S7RLLYQ0uTQjSkY2g9WS7f4LdCHVddao+RMjAhi2EuYq11HHxLH7b8xySjGBACL l8pNv4yZL1lyOTbNyHH6CtVRpFaXjIRyIIlXp0IqUwgxvSnkxTbQhpA66i28J47E505t n8qOT+UHlsX4w/FC9IHmvaWJnzus6LXSv6llOnEkcIMlGTUk/UexVbAIdeTAem3Tb2ZY elaZUAZhV3d0M6ZT5dsjAtHyHj2IIPdQEX+UbvIJhAq5aNThJXiq/LJ87TeFm4SuIQ43 yzYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=DGbDZ0Ts3k8f9Yrdg7BMe2mWpqqUHd6n62Dz+bzq5jY=; b=h9tXR4sH7sJZhkda39iRRmyMpTLKW/SF7B8h1NC+hL4976+8Z2PLs9wVRUd1myTlxN XYfAz/+RgAuoKH0hbLz+nIeRZlH/549+kltcwWMpBm5BHkUdPEmQePoZshIfG9c5Lud4 1GIxvfMGpJ7y+/Lu2/fguChYSdFGqR6R5Xmk56rX1P7n3zLA01hfcsW8740z9OXJKNG3 K+efcVijKcukadpRxihW5DQxgdpW2l91BX94iHjnuLscPtYuHwkohnWBHgLyFkTEYUAm viW9D1suYB2QC9SZ6/TwC3lv8ueZ/YKlSpPeU7Lqw8koOJjHsGv/BZtyDGiuTf3eFltP x2Lg== X-Gm-Message-State: AKGB3mJaahmX7P98X9VzFoZXNIlDiFH9rKY9FhdSBhhAqSnHuQYB96l3 j2s/wrXP9fRvgbr+/B0udUdWJX7sRw== X-Google-Smtp-Source: AGs4zMaGpnqxGZoeng6nSTAiLuRdYZzCGP6OtTPBmkGr9nUitd5Wwp7xdIy+Xe5Cu0pZL8HRwnHCl8dVNw== MIME-Version: 1.0 X-Received: by 10.55.31.145 with SMTP id n17mr2840008qkh.36.1512089180046; Thu, 30 Nov 2017 16:46:20 -0800 (PST) Date: Fri, 1 Dec 2017 01:46:07 +0100 Message-Id: <20171201004607.7389-1-jannh@google.com> X-Mailer: git-send-email 2.15.0.531.g2ccb3012c9-goog Subject: [PATCH] netfilter: add overflow checks in xt_bpf.c From: Jann Horn To: Willem de Bruijn , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" Cc: netdev@vger.kernel.org, coreteam@netfilter.org, netfilter-devel@vger.kernel.org Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Check whether inputs from userspace are too long (explicit length field too big or string not null-terminated) to avoid out-of-bounds reads. As far as I can tell, this can at worst lead to very limited kernel heap memory disclosure or oopses. This bug can be triggered by an unprivileged user even if the xt_bpf module is not loaded: iptables is available in network namespaces, and the xt_bpf module can be autoloaded. Triggering the bug with a classic BPF filter with fake length 0x1000 causes the following KASAN report: ================================================================== BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0 Read of size 32768 at addr ffff8801eff2c494 by task test/4627 CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1 [...] Call Trace: dump_stack+0x5c/0x85 print_address_description+0x6a/0x260 kasan_report+0x254/0x370 ? bpf_prog_create+0x84/0xf0 memcpy+0x1f/0x50 bpf_prog_create+0x84/0xf0 bpf_mt_check+0x90/0xd6 [xt_bpf] [...] Allocated by task 4627: kasan_kmalloc+0xa0/0xd0 __kmalloc_node+0x47/0x60 xt_alloc_table_info+0x41/0x70 [x_tables] [...] The buggy address belongs to the object at ffff8801eff2c3c0 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 212 bytes inside of 2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0) [...] ================================================================== Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match") Signed-off-by: Jann Horn --- net/netfilter/xt_bpf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c index 041da0d9c06f..1f7fbd3c7e5a 100644 --- a/net/netfilter/xt_bpf.c +++ b/net/netfilter/xt_bpf.c @@ -27,6 +27,9 @@ static int __bpf_mt_check_bytecode(struct sock_filter *insns, __u16 len, { struct sock_fprog_kern program; + if (len > XT_BPF_MAX_NUM_INSTR) + return -EINVAL; + program.len = len; program.filter = insns; @@ -55,6 +58,9 @@ static int __bpf_mt_check_path(const char *path, struct bpf_prog **ret) mm_segment_t oldfs = get_fs(); int retval, fd; + if (strnlen(path, XT_BPF_PATH_MAX) == XT_BPF_PATH_MAX) + return -EINVAL; + set_fs(KERNEL_DS); fd = bpf_obj_get_user(path, 0); set_fs(oldfs);