subject:"\[PATCH net\] netfilter\: x_tables\: avoid stack\-out\-of\-bounds read in xt_copy_counters_from

Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user

2017-10-06 Thread Pablo Neira Ayuso

On Thu, Oct 05, 2017 at 11:56:44AM +0200, Florian Westphal wrote:
> Eric Dumazet  wrote:
> > From: Eric Dumazet 
> > 
> > syzkaller reports an out of bound read in strlcpy(), triggered
> > by xt_copy_counters_from_user()
> > 
> > Fix this by using memcpy(), then forcing a zero byte at the last position
> > of the destination, as Florian did for the non COMPAT code.
> > 
> > Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use 
> > xt_copy_counters_from_user")
> > Signed-off-by: Eric Dumazet 
> > Cc: Willem de Bruijn 
> > ---
> >  net/netfilter/x_tables.c |4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> > index 
> > c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712
> >  100644
> > --- a/net/netfilter/x_tables.c
> > +++ b/net/netfilter/x_tables.c
> > @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user 
> > *user, unsigned int len,
> > if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
> > return ERR_PTR(-EFAULT);
> >  
> > -   strlcpy(info->name, compat_tmp.name, sizeof(info->name));
> > +   memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
> 
> Argh, right, compat_tmp.name might not be 0 terminated :-/
> 
> Acked-by: Florian Westphal 

Applied to nf, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user

2017-10-05 Thread Florian Westphal

Eric Dumazet  wrote:
> From: Eric Dumazet 
> 
> syzkaller reports an out of bound read in strlcpy(), triggered
> by xt_copy_counters_from_user()
> 
> Fix this by using memcpy(), then forcing a zero byte at the last position
> of the destination, as Florian did for the non COMPAT code.
> 
> Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use 
> xt_copy_counters_from_user")
> Signed-off-by: Eric Dumazet 
> Cc: Willem de Bruijn 
> ---
>  net/netfilter/x_tables.c |4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 
> c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712
>  100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, 
> unsigned int len,
>   if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
>   return ERR_PTR(-EFAULT);
>  
> - strlcpy(info->name, compat_tmp.name, sizeof(info->name));
> + memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);

Argh, right, compat_tmp.name might not be 0 terminated :-/

Acked-by: Florian Westphal 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user

2017-10-05 Thread Eric Dumazet

From: Eric Dumazet 

syzkaller reports an out of bound read in strlcpy(), triggered
by xt_copy_counters_from_user()

Fix this by using memcpy(), then forcing a zero byte at the last position
of the destination, as Florian did for the non COMPAT code.

Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use 
xt_copy_counters_from_user")
Signed-off-by: Eric Dumazet 
Cc: Willem de Bruijn 
---
 net/netfilter/x_tables.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 
c83a3b5e1c6c2a91b713b6681a794bd79ab3fa08..d8571f4142080a3c121fc90f0b52d81ee9df6712
 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, 
unsigned int len,
if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
return ERR_PTR(-EFAULT);
 
-   strlcpy(info->name, compat_tmp.name, sizeof(info->name));
+   memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
info->num_counters = compat_tmp.num_counters;
user += sizeof(compat_tmp);
} else
@@ -905,9 +905,9 @@ void *xt_copy_counters_from_user(const void __user *user, 
unsigned int len,
if (copy_from_user(info, user, sizeof(*info)) != 0)
return ERR_PTR(-EFAULT);
 
-   info->name[sizeof(info->name) - 1] = '\0';
user += sizeof(*info);
}
+   info->name[sizeof(info->name) - 1] = '\0';
 
size = sizeof(struct xt_counters);
size *= info->num_counters;


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user

Re: [PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user

[PATCH net] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user

3 matches

Site Navigation

Mail list logo

Footer information