1 files changed, 91 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
new file mode 100644
index 0000000..6772178
--- /dev/null
+++ b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
@@ -0,0 +1,91 @@
+From 638c2e4eff89aae86593e80ac2be01eee195fccb Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Feb 2018 13:46:25 +0100
+Subject: [PATCH] netfilter: add back stackpointer size checks
+commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
+The rationale for removing the check is only correct for rulesets
+generated by ip(6)tables.
+In iptables, a jump can only occur to a user-defined chain, i.e.
+because we size the stack based on number of user-defined chains we
+cannot exceed stack size.
+However, the underlying binary format has no such restriction,
+and the validation step only ensures that the jump target is a
+valid rule start point.
+IOW, its possible to build a rule blob that has no user-defined
+chains but does contain a jump.
+If this happens, no jump stack gets allocated and crash occurs
+because no jumpstack was allocated.
+CVE: CVE-2018-1065
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb]
+Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
+Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/netfilter/arp_tables.c | 4 ++++
+ net/ipv4/netfilter/ip_tables.c  | 7 ++++++-
+ net/ipv6/netfilter/ip6_tables.c | 4 ++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 9e2770fd00be..aa4c3b7f7da4 100644
+--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
+@@ -257,6 +257,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
+                        }
+                        if (table_base + v
+                            != arpt_next_entry(e)) {
+                               if (unlikely(stackidx >= private->stacksize)) {
+                                       verdict = NF_DROP;
+                                       break;
+                               }
+                                jumpstack[stackidx++] = e;
+                        }
+ 
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 39286e543ee6..cadb82a906b8 100644
+--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
+@@ -335,8 +335,13 @@ ipt_do_table(struct sk_buff *skb,
+                                continue;
+                        }
+                        if (table_base + v != ipt_next_entry(e) &&
+-                           !(e->ip.flags & IPT_F_GOTO))
+                           !(e->ip.flags & IPT_F_GOTO)) {
+                               if (unlikely(stackidx >= private->stacksize)) {
+                                       verdict = NF_DROP;
+                                       break;
+                               }
+                                jumpstack[stackidx++] = e;
+                       }
+ 
+                        e = get_entry(table_base, v);
+                        continue;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 01bd3ee5ebc6..a0a31972fc75 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -357,6 +357,10 @@ ip6t_do_table(struct sk_buff *skb,
+                        }
+                        if (table_base + v != ip6t_next_entry(e) &&
+                            !(e->ipv6.flags & IP6T_F_GOTO)) {
+                               if (unlikely(stackidx >= private->stacksize)) {
+                                       verdict = NF_DROP;
+                                       break;
+                               }
+                                jumpstack[stackidx++] = e;
+                        }
+ 
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch new file mode 100644 index 0000000..6772178 --- /dev/null +++ b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch
@@ -0,0 +1,91 @@
	1	From 638c2e4eff89aae86593e80ac2be01eee195fccb Mon Sep 17 00:00:00 2001
	2	From: Florian Westphal <fw@strlen.de>
	3	Date: Wed, 7 Feb 2018 13:46:25 +0100
	4	Subject: [PATCH] netfilter: add back stackpointer size checks
	5
	6	commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
	7
	8	The rationale for removing the check is only correct for rulesets
	9	generated by ip(6)tables.
	10
	11	In iptables, a jump can only occur to a user-defined chain, i.e.
	12	because we size the stack based on number of user-defined chains we
	13	cannot exceed stack size.
	14
	15	However, the underlying binary format has no such restriction,
	16	and the validation step only ensures that the jump target is a
	17	valid rule start point.
	18
	19	IOW, its possible to build a rule blob that has no user-defined
	20	chains but does contain a jump.
	21
	22	If this happens, no jump stack gets allocated and crash occurs
	23	because no jumpstack was allocated.
	24
	25	CVE: CVE-2018-1065
	26	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb]
	27
	28	Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
	29	Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
	30	Signed-off-by: Florian Westphal <fw@strlen.de>
	31	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	32	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	33	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	34	---
	35	net/ipv4/netfilter/arp_tables.c \| 4 ++++
	36	net/ipv4/netfilter/ip_tables.c \| 7 ++++++-
	37	net/ipv6/netfilter/ip6_tables.c \| 4 ++++
	38	3 files changed, 14 insertions(+), 1 deletion(-)
	39
	40	diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
	41	index 9e2770fd00be..aa4c3b7f7da4 100644
	42	--- a/net/ipv4/netfilter/arp_tables.c
	43	+++ b/net/ipv4/netfilter/arp_tables.c
	44	@@ -257,6 +257,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
	45	}
	46	if (table_base + v
	47	!= arpt_next_entry(e)) {
	48	+ if (unlikely(stackidx >= private->stacksize)) {
	49	+ verdict = NF_DROP;
	50	+ break;
	51	+ }
	52	jumpstack[stackidx++] = e;
	53	}
	54
	55	diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
	56	index 39286e543ee6..cadb82a906b8 100644
	57	--- a/net/ipv4/netfilter/ip_tables.c
	58	+++ b/net/ipv4/netfilter/ip_tables.c
	59	@@ -335,8 +335,13 @@ ipt_do_table(struct sk_buff *skb,
	60	continue;
	61	}
	62	if (table_base + v != ipt_next_entry(e) &&
	63	- !(e->ip.flags & IPT_F_GOTO))
	64	+ !(e->ip.flags & IPT_F_GOTO)) {
	65	+ if (unlikely(stackidx >= private->stacksize)) {
	66	+ verdict = NF_DROP;
	67	+ break;
	68	+ }
	69	jumpstack[stackidx++] = e;
	70	+ }
	71
	72	e = get_entry(table_base, v);
	73	continue;
	74	diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
	75	index 01bd3ee5ebc6..a0a31972fc75 100644
	76	--- a/net/ipv6/netfilter/ip6_tables.c
	77	+++ b/net/ipv6/netfilter/ip6_tables.c
	78	@@ -357,6 +357,10 @@ ip6t_do_table(struct sk_buff *skb,
	79	}
	80	if (table_base + v != ip6t_next_entry(e) &&
	81	!(e->ipv6.flags & IP6T_F_GOTO)) {
	82	+ if (unlikely(stackidx >= private->stacksize)) {
	83	+ verdict = NF_DROP;
	84	+ break;
	85	+ }
	86	jumpstack[stackidx++] = e;
	87	}
	88
	89	--
	90	2.20.1
	91