Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
On Thu, Oct 05, 2017 at 11:56:44AM +0200, Florian Westphal wrote: > Eric Dumazet wrote: > > From: Eric Dumazet > > > > syzkaller reports an out of bound read in strlcpy(), triggered > > by xt_copy_counters_from_user() > > > > Fix this by using memcpy(), then forcing a zero byte at the last position > > of the destination, as Florian did for the non COMPAT code. > > > > Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use > > xt_copy_counters_from_user") > > Signed-off-by: Eric Dumazet > > Cc: Willem de Bruijn > > --- > > net/netfilter/x_tables.c |4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > > index > > c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712 > > 100644 > > --- a/net/netfilter/x_tables.c > > +++ b/net/netfilter/x_tables.c > > @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user > > *user, unsigned int len, > > if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) > > return ERR_PTR(-EFAULT); > > > > - strlcpy(info->name, compat_tmp.name, sizeof(info->name)); > > + memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); > > Argh, right, compat_tmp.name might not be 0 terminated :-/ > > Acked-by: Florian Westphal Applied to nf, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
Eric Dumazet wrote: > From: Eric Dumazet > > syzkaller reports an out of bound read in strlcpy(), triggered > by xt_copy_counters_from_user() > > Fix this by using memcpy(), then forcing a zero byte at the last position > of the destination, as Florian did for the non COMPAT code. > > Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use > xt_copy_counters_from_user") > Signed-off-by: Eric Dumazet > Cc: Willem de Bruijn > --- > net/netfilter/x_tables.c |4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > index > c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712 > 100644 > --- a/net/netfilter/x_tables.c > +++ b/net/netfilter/x_tables.c > @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, > unsigned int len, > if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) > return ERR_PTR(-EFAULT); > > - strlcpy(info->name, compat_tmp.name, sizeof(info->name)); > + memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); Argh, right, compat_tmp.name might not be 0 terminated :-/ Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
From: Eric Dumazet syzkaller reports an out of bound read in strlcpy(), triggered by xt_copy_counters_from_user() Fix this by using memcpy(), then forcing a zero byte at the last position of the destination, as Florian did for the non COMPAT code. Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn --- net/netfilter/x_tables.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len, if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0) return ERR_PTR(-EFAULT); - strlcpy(info->name, compat_tmp.name, sizeof(info->name)); + memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1); info->num_counters = compat_tmp.num_counters; user += sizeof(compat_tmp); } else @@ -905,9 +905,9 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len, if (copy_from_user(info, user, sizeof(*info)) != 0) return ERR_PTR(-EFAULT); - info->name[sizeof(info->name) - 1] = '\0'; user += sizeof(*info); } + info->name[sizeof(info->name) - 1] = '\0'; size = sizeof(struct xt_counters); size *= info->num_counters; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html