Message ID | 1457636317-13541-1-git-send-email-chris.j.arges@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, Mar 10, 2016 at 12:58:37PM -0600, Chris J Arges wrote: > From: Florian Westphal <fw@strlen.de> > > BugLink: http://bugs.launchpad.net/bugs/1555353 > > http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 > > Ben Hawkes says: > integer overflow in xt_alloc_table_info, which on 32-bit systems can > lead to small structure allocation and a copy_from_user based heap > corruption. > > Reported-by: Ben Hawkes <hawkes@google.com> > Signed-off-by: Florian Westphal <fw@strlen.de> > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > Signed-off-by: Chris J Arges <chris.j.arges@canonical.com> > --- > net/netfilter/x_tables.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > index d324fe7..7884241 100644 > --- a/net/netfilter/x_tables.c > +++ b/net/netfilter/x_tables.c > @@ -661,6 +661,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) > struct xt_table_info *info = NULL; > size_t sz = sizeof(*info) + size; > > + if (sz < size || sz < sizeof(*info)) > + return NULL; > + > /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ > if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) > return NULL; > -- > 2.7.0 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index d324fe7..7884241 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -661,6 +661,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) struct xt_table_info *info = NULL; size_t sz = sizeof(*info) + size; + if (sz < size || sz < sizeof(*info)) + return NULL; + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) return NULL;