netfilter: CVE-2018-1065

netfilter: add back stackpointer size checks Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1065 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb Change-Id: Id89654b8f9d92a644bd60410953a79e69341db7e Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-21 16:36:29 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-21 17:38:48 +0200
commit: 1f4f2d504a82f7868c473800cf710ae15c3a3840 (patch)
tree: 3f79451f923ecf5ba6699730b6f85b0d09a28ed8
parent: 92ea7aef37ce83db0dfd078092b4c386080c7107 (diff)
download: enea-kernel-cache-1f4f2d504a82f7868c473800cf710ae15c3a3840.tar.gz
1 files changed, 91 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
new file mode 100644
index 0000000..6772178
--- /dev/null
+++ b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
@@ -0,0 +1,91 @@
+From 638c2e4eff89aae86593e80ac2be01eee195fccb Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Feb 2018 13:46:25 +0100
+Subject: [PATCH] netfilter: add back stackpointer size checks
+commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
+The rationale for removing the check is only correct for rulesets
+generated by ip(6)tables.
+In iptables, a jump can only occur to a user-defined chain, i.e.
+because we size the stack based on number of user-defined chains we
+cannot exceed stack size.
+However, the underlying binary format has no such restriction,
+and the validation step only ensures that the jump target is a
+valid rule start point.
+IOW, its possible to build a rule blob that has no user-defined
+chains but does contain a jump.
+If this happens, no jump stack gets allocated and crash occurs
+because no jumpstack was allocated.
+CVE: CVE-2018-1065
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb]
+Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
+Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/netfilter/arp_tables.c | 4 ++++
+ net/ipv4/netfilter/ip_tables.c  | 7 ++++++-
+ net/ipv6/netfilter/ip6_tables.c | 4 ++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 9e2770fd00be..aa4c3b7f7da4 100644
+--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
+@@ -257,6 +257,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
+                        }
+                        if (table_base + v
+                            != arpt_next_entry(e)) {
+                               if (unlikely(stackidx >= private->stacksize)) {
+                                       verdict = NF_DROP;
+                                       break;
+                               }
+                                jumpstack[stackidx++] = e;
+                        }
+ 
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 39286e543ee6..cadb82a906b8 100644
+--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
+@@ -335,8 +335,13 @@ ipt_do_table(struct sk_buff *skb,
+                                continue;
+                        }
+                        if (table_base + v != ipt_next_entry(e) &&
+-                           !(e->ip.flags & IPT_F_GOTO))
+                           !(e->ip.flags & IPT_F_GOTO)) {
+                               if (unlikely(stackidx >= private->stacksize)) {
+                                       verdict = NF_DROP;
+                                       break;
+                               }
+                                jumpstack[stackidx++] = e;
+                       }
+ 
+                        e = get_entry(table_base, v);
+                        continue;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 01bd3ee5ebc6..a0a31972fc75 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -357,6 +357,10 @@ ip6t_do_table(struct sk_buff *skb,
+                        }
+                        if (table_base + v != ip6t_next_entry(e) &&
+                            !(e->ipv6.flags & IP6T_F_GOTO)) {
+                               if (unlikely(stackidx >= private->stacksize)) {
+                                       verdict = NF_DROP;
+                                       break;
+                               }
+                                jumpstack[stackidx++] = e;
+                        }
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-21 16:36:29 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-21 17:38:48 +0200
commit	1f4f2d504a82f7868c473800cf710ae15c3a3840 (patch)
tree	3f79451f923ecf5ba6699730b6f85b0d09a28ed8
parent	92ea7aef37ce83db0dfd078092b4c386080c7107 (diff)
download	enea-kernel-cache-1f4f2d504a82f7868c473800cf710ae15c3a3840.tar.gz

diff --git a/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch new file mode 100644 index 0000000..6772178 --- /dev/null +++ b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
@@ -0,0 +1,91 @@
	1	From 638c2e4eff89aae86593e80ac2be01eee195fccb Mon Sep 17 00:00:00 2001
	2	From: Florian Westphal <fw@strlen.de>
	3	Date: Wed, 7 Feb 2018 13:46:25 +0100
	4	Subject: [PATCH] netfilter: add back stackpointer size checks
	5
	6	commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
	7
	8	The rationale for removing the check is only correct for rulesets
	9	generated by ip(6)tables.
	10
	11	In iptables, a jump can only occur to a user-defined chain, i.e.
	12	because we size the stack based on number of user-defined chains we
	13	cannot exceed stack size.
	14
	15	However, the underlying binary format has no such restriction,
	16	and the validation step only ensures that the jump target is a
	17	valid rule start point.
	18
	19	IOW, its possible to build a rule blob that has no user-defined
	20	chains but does contain a jump.
	21
	22	If this happens, no jump stack gets allocated and crash occurs
	23	because no jumpstack was allocated.
	24
	25	CVE: CVE-2018-1065
	26	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb]
	27
	28	Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
	29	Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
	30	Signed-off-by: Florian Westphal <fw@strlen.de>
	31	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	32	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	33	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	34	---
	35	net/ipv4/netfilter/arp_tables.c \| 4 ++++
	36	net/ipv4/netfilter/ip_tables.c \| 7 ++++++-
	37	net/ipv6/netfilter/ip6_tables.c \| 4 ++++
	38	3 files changed, 14 insertions(+), 1 deletion(-)
	39
	40	diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
	41	index 9e2770fd00be..aa4c3b7f7da4 100644
	42	--- a/net/ipv4/netfilter/arp_tables.c
	43	+++ b/net/ipv4/netfilter/arp_tables.c
	44	@@ -257,6 +257,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
	45	}
	46	if (table_base + v
	47	!= arpt_next_entry(e)) {
	48	+ if (unlikely(stackidx >= private->stacksize)) {
	49	+ verdict = NF_DROP;
	50	+ break;
	51	+ }
	52	jumpstack[stackidx++] = e;
	53	}
	54
	55	diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
	56	index 39286e543ee6..cadb82a906b8 100644
	57	--- a/net/ipv4/netfilter/ip_tables.c
	58	+++ b/net/ipv4/netfilter/ip_tables.c
	59	@@ -335,8 +335,13 @@ ipt_do_table(struct sk_buff *skb,
	60	continue;
	61	}
	62	if (table_base + v != ipt_next_entry(e) &&
	63	- !(e->ip.flags & IPT_F_GOTO))
	64	+ !(e->ip.flags & IPT_F_GOTO)) {
	65	+ if (unlikely(stackidx >= private->stacksize)) {
	66	+ verdict = NF_DROP;
	67	+ break;
	68	+ }
	69	jumpstack[stackidx++] = e;
	70	+ }
	71
	72	e = get_entry(table_base, v);
	73	continue;
	74	diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
	75	index 01bd3ee5ebc6..a0a31972fc75 100644
	76	--- a/net/ipv6/netfilter/ip6_tables.c
	77	+++ b/net/ipv6/netfilter/ip6_tables.c
	78	@@ -357,6 +357,10 @@ ip6t_do_table(struct sk_buff *skb,
	79	}
	80	if (table_base + v != ip6t_next_entry(e) &&
	81	!(e->ipv6.flags & IP6T_F_GOTO)) {
	82	+ if (unlikely(stackidx >= private->stacksize)) {
	83	+ verdict = NF_DROP;
	84	+ break;
	85	+ }
	86	jumpstack[stackidx++] = e;
	87	}
	88
	89	--
	90	2.20.1
	91