1. 27 Mar, 2019 1 commit
  2. 13 Mar, 2019 1 commit
  3. 23 Jan, 2019 1 commit
    • Shakeel Butt's avatar
      netfilter: ebtables: account ebt_table_info to kmemcg · 26e6d521
      Shakeel Butt authored
      commit e2c8d550a973bb34fc28bc8d0ec996f84562fb8a upstream.
      
      The [ip,ip6,arp]_tables use x_tables_info internally and the underlying
      memory is already accounted to kmemcg. Do the same for ebtables. The
      syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the
      whole system from a restricted memcg, a potential DoS.
      
      By accounting the ebt_table_info, the memory used for ebt_table_info can
      be contained within the memcg of the allocating process. However the
      lifetime of ebt_table_info is independent of the allocating process and
      is tied to the network namespace. So, the oom-killer will not be able to
      relieve the memory pressure due to ebt_table_info memory. The memory for
      ebt_table_info is allocated through vmalloc. Currently vmalloc does not
      handle the oom-killed allocating process correctly and one large
      allocation can bypass memcg limit enforcement. So, with this patch,
      at least the small allocations will be contained. For large allocations,
      we need to fix vmalloc.
      
      Reported-by: syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com
      Signed-off-by: default avatarShakeel Butt <shakeelb@google.com>
      Reviewed-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26e6d521
  4. 22 Jul, 2018 1 commit
    • Florian Westphal's avatar
      netfilter: ebtables: reject non-bridge targets · 766a7ad6
      Florian Westphal authored
      commit 11ff7288 upstream.
      
      the ebtables evaluation loop expects targets to return
      positive values (jumps), or negative values (absolute verdicts).
      
      This is completely different from what xtables does.
      In xtables, targets are expected to return the standard netfilter
      verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
      
      ebtables will consider these as jumps.
      
      Therefore reject any target found due to unspec fallback.
      v2: also reject watchers.  ebtables ignores their return value, so
      a target that assumes skb ownership (and returns NF_STOLEN) causes
      use-after-free.
      
      The only watchers in the 'ebtables' front-end are log and nflog;
      both have AF_BRIDGE specific wrappers on kernel side.
      
      Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      766a7ad6
  5. 17 Jul, 2018 1 commit
    • Florian Westphal's avatar
      netfilter: x_tables: initialise match/target check parameter struct · 348b32aa
      Florian Westphal authored
      commit c568503e upstream.
      
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
       net/bridge/netfilter/ebt_stp.c:162
       ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
       xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
       ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
       ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
      
      The uninitialised access is
         xt_mtchk_param->nft_compat
      
      ... which should be set to 0.
      Fix it by zeroing the struct beforehand, same for tgchk.
      
      ip(6)tables targetinfo uses c99-style initialiser, so no change
      needed there.
      
      Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
      Fixes: 55917a21 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      348b32aa
  6. 08 Jul, 2018 1 commit
    • Paolo Abeni's avatar
      netfilter: ebtables: handle string from userspace with care · db73501e
      Paolo Abeni authored
      [ Upstream commit 94c752f9 ]
      
      strlcpy() can't be safely used on a user-space provided string,
      as it can try to read beyond the buffer's end, if the latter is
      not NULL terminated.
      
      Leveraging the above, syzbot has been able to trigger the following
      splat:
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
      [inline]
      BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
      net/bridge/netfilter/ebtables.c:1957 [inline]
      BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
      net/bridge/netfilter/ebtables.c:2059 [inline]
      BUG: KASAN: stack-out-of-bounds in size_entry_mwt
      net/bridge/netfilter/ebtables.c:2155 [inline]
      BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
      net/bridge/netfilter/ebtables.c:2194
      Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
      
      CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        check_memory_region_inline mm/kasan/kasan.c:260 [inline]
        check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
        memcpy+0x37/0x50 mm/kasan/kasan.c:303
        strlcpy include/linux/string.h:300 [inline]
        compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
        ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
        size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
        compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
        compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
        compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
        compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
        compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
        compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
        inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
        compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
        compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
        __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
        __do_compat_sys_setsockopt net/compat.c:416 [inline]
        __se_compat_sys_setsockopt net/compat.c:413 [inline]
        __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
        do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
        do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
        entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7fb3cb9
      RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x2fffc0000000000()
      raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fix the issue replacing the unsafe function with strscpy() and
      taking care of possible errors.
      
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db73501e
  7. 30 May, 2018 2 commits
  8. 16 May, 2018 1 commit
  9. 26 Apr, 2018 1 commit
  10. 15 Mar, 2018 1 commit
  11. 29 Sep, 2017 1 commit
  12. 04 Sep, 2017 1 commit
  13. 19 Aug, 2017 1 commit
  14. 15 May, 2017 1 commit
    • Willem de Bruijn's avatar
      netfilter: xtables: zero padding in data_to_user · 324318f0
      Willem de Bruijn authored
      When looking up an iptables rule, the iptables binary compares the
      aligned match and target data (XT_ALIGN). In some cases this can
      exceed the actual data size to include padding bytes.
      
      Before commit f77bc5b2 ("iptables: use match, target and data
      copy_to_user helpers") the malloc()ed bytes were overwritten by the
      kernel with kzalloced contents, zeroing the padding and making the
      comparison succeed. After this patch, the kernel copies and clears
      only data, leaving the padding bytes undefined.
      
      Extend the clear operation from data size to aligned data size to
      include the padding bytes, if any.
      
      Padding bytes can be observed in both match and target, and the bug
      triggered, by issuing a rule with match icmp and target ACCEPT:
      
        iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
        iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
      
      Fixes: f77bc5b2 ("iptables: use match, target and data copy_to_user helpers")
      Reported-by: default avatarPaul Moore <pmoore@redhat.com>
      Reported-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      324318f0
  15. 26 Apr, 2017 1 commit
  16. 07 Apr, 2017 1 commit
  17. 09 Jan, 2017 1 commit
  18. 24 Dec, 2016 1 commit
  19. 03 Nov, 2016 1 commit
  20. 24 Sep, 2016 1 commit
  21. 25 Aug, 2016 1 commit
  22. 03 Jul, 2016 1 commit
    • Joe Perches's avatar
      netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF · c37a2dfa
      Joe Perches authored
      netfilter uses multiple FWINV #defines with identical form that hide a
      specific structure variable and dereference it with a invflags member.
      
      $ git grep "#define FWINV"
      include/linux/netfilter_bridge/ebtables.h:#define FWINV(bool,invflg) ((bool) ^ !!(info->invflags & invflg))
      net/bridge/netfilter/ebtables.c:#define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg))
      net/ipv4/netfilter/arp_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg)))
      net/ipv4/netfilter/ip_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
      net/ipv6/netfilter/ip6_tables.c:#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
      net/netfilter/xt_tcpudp.c:#define FWINVTCP(bool, invflg) ((bool) ^ !!(tcpinfo->invflags & (invflg)))
      
      Consolidate these macros into a single NF_INVF macro.
      
      Miscellanea:
      
      o Neaten the alignment around these uses
      o A few lines are > 80 columns for intelligibility
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c37a2dfa
  23. 01 Jul, 2016 1 commit
  24. 12 Apr, 2016 1 commit
  25. 28 Mar, 2016 1 commit
  26. 23 Nov, 2015 4 commits
  27. 18 Sep, 2015 2 commits
  28. 28 Aug, 2015 1 commit
    • Florian Westphal's avatar
      netfilter: reduce sparse warnings · 851345c5
      Florian Westphal authored
      bridge/netfilter/ebtables.c:290:26: warning: incorrect type in assignment (different modifiers)
      -> remove __pure annotation.
      
      ipv6/netfilter/ip6t_SYNPROXY.c:240:27: warning: cast from restricted __be16
      -> switch ntohs to htons and vice versa.
      
      netfilter/core.c:391:30: warning: symbol 'nfq_ct_nat_hook' was not declared. Should it be static?
      -> delete it, got removed
      
      net/netfilter/nf_synproxy_core.c:221:48: warning: cast to restricted __be32
      -> Use __be32 instead of u32.
      
      Tested with objdiff that these changes do not affect generated code.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      851345c5
  29. 01 Jun, 2015 1 commit
  30. 26 May, 2015 1 commit
  31. 20 May, 2015 1 commit
    • Dave Jones's avatar
      netfilter: ensure number of counters is >0 in do_replace() · 1086bbe9
      Dave Jones authored
      After improving setsockopt() coverage in trinity, I started triggering
      vmalloc failures pretty reliably from this code path:
      
      warn_alloc_failed+0xe9/0x140
      __vmalloc_node_range+0x1be/0x270
      vzalloc+0x4b/0x50
      __do_replace+0x52/0x260 [ip_tables]
      do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
      nf_setsockopt+0x65/0x90
      ip_setsockopt+0x61/0xa0
      raw_setsockopt+0x16/0x60
      sock_common_setsockopt+0x14/0x20
      SyS_setsockopt+0x71/0xd0
      
      It turns out we don't validate that the num_counters field in the
      struct we pass in from userspace is initialized.
      
      The same problem also exists in ebtables, arptables, ipv6, and the
      compat variants.
      Signed-off-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1086bbe9
  32. 05 May, 2015 1 commit
  33. 13 Jan, 2015 1 commit
  34. 09 Sep, 2014 1 commit
  35. 08 Aug, 2014 1 commit