|
 |
11aa761 |
From 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 Mon Sep 17 00:00:00 2001
|
|
|
11aa761 |
From: Will McVicker <willmcvicker@google.com>
|
|
|
11aa761 |
Date: Mon, 24 Aug 2020 19:38:32 +0000
|
|
|
11aa761 |
Subject: netfilter: ctnetlink: add a range check for l3/l4 protonum
|
|
|
11aa761 |
|
|
|
11aa761 |
The indexes to the nf_nat_l[34]protos arrays come from userspace. So
|
|
|
11aa761 |
check the tuple's family, e.g. l3num, when creating the conntrack in
|
|
|
11aa761 |
order to prevent an OOB memory access during setup. Here is an example
|
|
|
11aa761 |
kernel panic on 4.14.180 when userspace passes in an index greater than
|
|
|
11aa761 |
NFPROTO_NUMPROTO.
|
|
|
11aa761 |
|
|
|
11aa761 |
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
|
|
|
11aa761 |
Modules linked in:...
|
|
|
11aa761 |
Process poc (pid: 5614, stack limit = 0x00000000a3933121)
|
|
|
11aa761 |
CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483
|
|
|
11aa761 |
Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
|
|
|
11aa761 |
task: 000000002a3dfffe task.stack: 00000000a3933121
|
|
|
11aa761 |
pc : __cfi_check_fail+0x1c/0x24
|
|
|
11aa761 |
lr : __cfi_check_fail+0x1c/0x24
|
|
|
11aa761 |
...
|
|
|
11aa761 |
Call trace:
|
|
|
11aa761 |
__cfi_check_fail+0x1c/0x24
|
|
|
11aa761 |
name_to_dev_t+0x0/0x468
|
|
|
11aa761 |
nfnetlink_parse_nat_setup+0x234/0x258
|
|
|
11aa761 |
ctnetlink_parse_nat_setup+0x4c/0x228
|
|
|
11aa761 |
ctnetlink_new_conntrack+0x590/0xc40
|
|
|
11aa761 |
nfnetlink_rcv_msg+0x31c/0x4d4
|
|
|
11aa761 |
netlink_rcv_skb+0x100/0x184
|
|
|
11aa761 |
nfnetlink_rcv+0xf4/0x180
|
|
|
11aa761 |
netlink_unicast+0x360/0x770
|
|
|
11aa761 |
netlink_sendmsg+0x5a0/0x6a4
|
|
|
11aa761 |
___sys_sendmsg+0x314/0x46c
|
|
|
11aa761 |
SyS_sendmsg+0xb4/0x108
|
|
|
11aa761 |
el0_svc_naked+0x34/0x38
|
|
|
11aa761 |
|
|
|
11aa761 |
This crash is not happening since 5.4+, however, ctnetlink still
|
|
|
11aa761 |
allows for creating entries with unsupported layer 3 protocol number.
|
|
|
11aa761 |
|
|
|
11aa761 |
Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
|
|
|
11aa761 |
Signed-off-by: Will McVicker <willmcvicker@google.com>
|
|
|
11aa761 |
[pablo@netfilter.org: rebased original patch on top of nf.git]
|
|
|
11aa761 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
11aa761 |
---
|
|
|
11aa761 |
net/netfilter/nf_conntrack_netlink.c | 3 ++-
|
|
|
11aa761 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
11aa761 |
|
|
|
11aa761 |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
|
|
|
11aa761 |
index 832eabecfbddc..d65846aa80591 100644
|
|
|
11aa761 |
--- a/net/netfilter/nf_conntrack_netlink.c
|
|
|
11aa761 |
+++ b/net/netfilter/nf_conntrack_netlink.c
|
|
|
11aa761 |
@@ -1404,7 +1404,8 @@ ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
|
|
|
11aa761 |
if (err < 0)
|
|
|
11aa761 |
return err;
|
|
|
11aa761 |
|
|
|
11aa761 |
-
|
|
|
11aa761 |
+ if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
|
|
|
11aa761 |
+ return -EOPNOTSUPP;
|
|
|
11aa761 |
tuple->src.l3num = l3num;
|
|
|
11aa761 |
|
|
|
11aa761 |
if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
|
|
|
11aa761 |
--
|
|
|
11aa761 |
cgit 1.2.3-1.el7
|
|
|
11aa761 |
|