netfilter: CVE-2018-1068

netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b71812168571fa55e44cdd0254471331b9c4c4c6

Change-Id: I4b658659993380dc9a3aeee4620061ac0e9d5a63
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 63 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index fd6f5c7..51591c7 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -4,3 +4,4 @@ patch CVE-2017-8824-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
 #CVEs fixed in 4.9.88:
 patch CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
+patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
diff --git a/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
new file mode 100644
index 0000000..7723764
--- /dev/null
+++ b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
@@ -0,0 +1,62 @@
+From b71812168571fa55e44cdd0254471331b9c4c4c6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 01:24:15 +0100
+Subject: [PATCH] netfilter: ebtables: CONFIG_COMPAT: don't trust userland
+ offsets
+
+We need to make sure the offsets are not out of range of the
+total size.
+Also check that they are in ascending order.
+
+The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
+changed to also bail out, no point in continuing parsing.
+
+Briefly tested with simple ruleset of
+-A INPUT --limit 1/s' --log
+plus jump to custom chains using 32bit ebtables binary.
+
+CVE: CVE-2018-1068   
+Upstream-Status: Backport 
+
+Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 61f8787..254ef9f 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2060,7 +2060,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
+                if (match_kern)
+                        match_kern->match_size = ret;
+ 
+-               WARN_ON(type == EBT_COMPAT_TARGET && size_left);
++               if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
++                       return -EINVAL;
++
+                match32 = (struct compat_ebt_entry_mwt *) buf;
+        }
+ 
+@@ -2116,6 +2118,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
+         *
+         * offsets are relative to beginning of struct ebt_entry (i.e., 0).
+         */
++       for (i = 0; i < 4 ; ++i) {
++               if (offsets[i] >= *total)
++                       return -EINVAL;
++               if (i == 0)
++                       continue;
++               if (offsets[i-1] > offsets[i])
++                       return -EINVAL;
++       }
++
+        for (i = 0, j = 1 ; j < 4 ; j++, i++) {
+                struct compat_ebt_entry_mwt *match32;
+                unsigned int size;
+-- 
+
+