From 1f4f2d504a82f7868c473800cf710ae15c3a3840 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Tue, 21 May 2019 16:36:29 +0200 Subject: netfilter: CVE-2018-1065 netfilter: add back stackpointer size checks Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1065 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb Change-Id: Id89654b8f9d92a644bd60410953a79e69341db7e Signed-off-by: Andreas Wellving --- ...tfilter-add-back-stackpointer-size-checks.patch | 91 ++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch diff --git a/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch new file mode 100644 index 0000000..6772178 --- /dev/null +++ b/patches/cve/CVE-2018-1065-netfilter-add-back-stackpointer-size-checks.patch @@ -0,0 +1,91 @@ +From 638c2e4eff89aae86593e80ac2be01eee195fccb Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 7 Feb 2018 13:46:25 +0100 +Subject: [PATCH] netfilter: add back stackpointer size checks + +commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream. + +The rationale for removing the check is only correct for rulesets +generated by ip(6)tables. + +In iptables, a jump can only occur to a user-defined chain, i.e. +because we size the stack based on number of user-defined chains we +cannot exceed stack size. + +However, the underlying binary format has no such restriction, +and the validation step only ensures that the jump target is a +valid rule start point. + +IOW, its possible to build a rule blob that has no user-defined +chains but does contain a jump. + +If this happens, no jump stack gets allocated and crash occurs +because no jumpstack was allocated. + +CVE: CVE-2018-1065 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=638c2e4eff89aae86593e80ac2be01eee195fccb] + +Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") +Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + net/ipv4/netfilter/arp_tables.c | 4 ++++ + net/ipv4/netfilter/ip_tables.c | 7 ++++++- + net/ipv6/netfilter/ip6_tables.c | 4 ++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 9e2770fd00be..aa4c3b7f7da4 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -257,6 +257,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, + } + if (table_base + v + != arpt_next_entry(e)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; + } + +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 39286e543ee6..cadb82a906b8 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -335,8 +335,13 @@ ipt_do_table(struct sk_buff *skb, + continue; + } + if (table_base + v != ipt_next_entry(e) && +- !(e->ip.flags & IPT_F_GOTO)) ++ !(e->ip.flags & IPT_F_GOTO)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; ++ } + + e = get_entry(table_base, v); + continue; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 01bd3ee5ebc6..a0a31972fc75 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -357,6 +357,10 @@ ip6t_do_table(struct sk_buff *skb, + } + if (table_base + v != ip6t_next_entry(e) && + !(e->ipv6.flags & IP6T_F_GOTO)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; + } + +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf