[PATCH 4/6] netfilter: x_tables: fix pointer leaks to userspace

Pablo Neira Ayuso Thu, 01 Feb 2018 10:05:11 -0800

From: Dmitry Vyukov <dvyu...@google.com>

Several netfilter matches and targets put kernel pointers into
info objects, but don't set usersize in descriptors.
This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.


Properly set usersize for these matches/targets.

Found with manual code inspection.

Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize")
Signed-off-by: Dmitry Vyukov <dvyu...@google.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
 net/netfilter/xt_IDLETIMER.c | 1 +
 net/netfilter/xt_LED.c       | 1 +
 net/netfilter/xt_limit.c     | 3 +--
 net/netfilter/xt_nfacct.c    | 1 +
 net/netfilter/xt_statistic.c | 1 +
 5 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index ee3421ad108d..6c2482b709b1 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -252,6 +252,7 @@ static struct xt_target idletimer_tg __read_mostly = {
        .family         = NFPROTO_UNSPEC,
        .target         = idletimer_tg_target,
        .targetsize     = sizeof(struct idletimer_tg_info),
+       .usersize       = offsetof(struct idletimer_tg_info, timer),
        .checkentry     = idletimer_tg_checkentry,
        .destroy        = idletimer_tg_destroy,
        .me             = THIS_MODULE,
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 0971634e5444..1dcad893df78 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __read_mostly = {
        .family         = NFPROTO_UNSPEC,
        .target         = led_tg,
        .targetsize     = sizeof(struct xt_led_info),
+       .usersize       = offsetof(struct xt_led_info, internal_data),
        .checkentry     = led_tg_check,
        .destroy        = led_tg_destroy,
        .me             = THIS_MODULE,
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index d27b5f1ea619..61403b77361c 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -193,9 +193,8 @@ static struct xt_match limit_mt_reg __read_mostly = {
        .compatsize       = sizeof(struct compat_xt_rateinfo),
        .compat_from_user = limit_mt_compat_from_user,
        .compat_to_user   = limit_mt_compat_to_user,
-#else
-       .usersize         = offsetof(struct xt_rateinfo, prev),
 #endif
+       .usersize         = offsetof(struct xt_rateinfo, prev),
        .me               = THIS_MODULE,
 };
 
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index cc0518fe598e..6f92d25590a8 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly = {
        .match      = nfacct_mt,
        .destroy    = nfacct_mt_destroy,
        .matchsize  = sizeof(struct xt_nfacct_match_info),
+       .usersize   = offsetof(struct xt_nfacct_match_info, nfacct),
        .me         = THIS_MODULE,
 };
 
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 11de55e7a868..8710fdba2ae2 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_reg __read_mostly = {
        .checkentry = statistic_mt_check,
        .destroy    = statistic_mt_destroy,
        .matchsize  = sizeof(struct xt_statistic_info),
+       .usersize   = offsetof(struct xt_statistic_info, master),
        .me         = THIS_MODULE,
 };
 
-- 
2.11.0

[PATCH 4/6] netfilter: x_tables: fix pointer leaks to userspace

Reply via email to