11aa761
From 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 Mon Sep 17 00:00:00 2001
11aa761
From: Will McVicker <willmcvicker@google.com>
11aa761
Date: Mon, 24 Aug 2020 19:38:32 +0000
11aa761
Subject: netfilter: ctnetlink: add a range check for l3/l4 protonum
11aa761
11aa761
The indexes to the nf_nat_l[34]protos arrays come from userspace. So
11aa761
check the tuple's family, e.g. l3num, when creating the conntrack in
11aa761
order to prevent an OOB memory access during setup.  Here is an example
11aa761
kernel panic on 4.14.180 when userspace passes in an index greater than
11aa761
NFPROTO_NUMPROTO.
11aa761
11aa761
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
11aa761
Modules linked in:...
11aa761
Process poc (pid: 5614, stack limit = 0x00000000a3933121)
11aa761
CPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483
11aa761
Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
11aa761
task: 000000002a3dfffe task.stack: 00000000a3933121
11aa761
pc : __cfi_check_fail+0x1c/0x24
11aa761
lr : __cfi_check_fail+0x1c/0x24
11aa761
...
11aa761
Call trace:
11aa761
__cfi_check_fail+0x1c/0x24
11aa761
name_to_dev_t+0x0/0x468
11aa761
nfnetlink_parse_nat_setup+0x234/0x258
11aa761
ctnetlink_parse_nat_setup+0x4c/0x228
11aa761
ctnetlink_new_conntrack+0x590/0xc40
11aa761
nfnetlink_rcv_msg+0x31c/0x4d4
11aa761
netlink_rcv_skb+0x100/0x184
11aa761
nfnetlink_rcv+0xf4/0x180
11aa761
netlink_unicast+0x360/0x770
11aa761
netlink_sendmsg+0x5a0/0x6a4
11aa761
___sys_sendmsg+0x314/0x46c
11aa761
SyS_sendmsg+0xb4/0x108
11aa761
el0_svc_naked+0x34/0x38
11aa761
11aa761
This crash is not happening since 5.4+, however, ctnetlink still
11aa761
allows for creating entries with unsupported layer 3 protocol number.
11aa761
11aa761
Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
11aa761
Signed-off-by: Will McVicker <willmcvicker@google.com>
11aa761
[pablo@netfilter.org: rebased original patch on top of nf.git]
11aa761
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11aa761
---
11aa761
 net/netfilter/nf_conntrack_netlink.c | 3 ++-
11aa761
 1 file changed, 2 insertions(+), 1 deletion(-)
11aa761
11aa761
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
11aa761
index 832eabecfbddc..d65846aa80591 100644
11aa761
--- a/net/netfilter/nf_conntrack_netlink.c
11aa761
+++ b/net/netfilter/nf_conntrack_netlink.c
11aa761
@@ -1404,7 +1404,8 @@ ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
11aa761
 	if (err < 0)
11aa761
 		return err;
11aa761
 
11aa761
-
11aa761
+	if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
11aa761
+		return -EOPNOTSUPP;
11aa761
 	tuple->src.l3num = l3num;
11aa761
 
11aa761
 	if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
11aa761
-- 
11aa761
cgit 1.2.3-1.el7
11aa761