netfilter: CVE-2018-1068

netfilter: ebtables: CONFIG_COMPAT: don't trust userland

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1068
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=eaa06bfba8eabd44ce952758046492eebc973bbe

Change-Id: I3773b4d4b302614d928989b6ca6df2423e3c41db
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

1 files changed, 65 insertions, 0 deletions

diff --git a/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
new file mode 100644
index 0000000..041f71c
--- /dev/null
+++ b/patches/cve/CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
@@ -0,0 +1,65 @@
+From eaa06bfba8eabd44ce952758046492eebc973bbe Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Feb 2018 01:24:15 +0100
+Subject: [PATCH] netfilter: ebtables: CONFIG_COMPAT: don't trust userland
+ offsets
+
+commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.
+
+We need to make sure the offsets are not out of range of the
+total size.
+Also check that they are in ascending order.
+
+The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
+changed to also bail out, no point in continuing parsing.
+
+Briefly tested with simple ruleset of
+-A INPUT --limit 1/s' --log
+plus jump to custom chains using 32bit ebtables binary.
+
+CVE: CVE-2018-1068
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=eaa06bfba8eabd44ce952758046492eebc973bbe]
+
+Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/bridge/netfilter/ebtables.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 3b3dcf719e07..16eb99458df4 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2053,7 +2053,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
+                if (match_kern)
+                        match_kern->match_size = ret;
+ 
+-               WARN_ON(type == EBT_COMPAT_TARGET && size_left);
++               if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
++                       return -EINVAL;
++
+                match32 = (struct compat_ebt_entry_mwt *) buf;
+        }
+ 
+@@ -2109,6 +2111,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
+         *
+         * offsets are relative to beginning of struct ebt_entry (i.e., 0).
+         */
++       for (i = 0; i < 4 ; ++i) {
++               if (offsets[i] >= *total)
++                       return -EINVAL;
++               if (i == 0)
++                       continue;
++               if (offsets[i-1] > offsets[i])
++                       return -EINVAL;
++       }
++
+        for (i = 0, j = 1 ; j < 4 ; j++, i++) {
+                struct compat_ebt_entry_mwt *match32;
+                unsigned int size;
+-- 
+2.20.1
+