5c04da55c7
syzkaller reports splat:
------------[ cut here ]------------
Buffer overflow detected (80 < 137)!
Call Trace:
do_ebt_get_ctl+0x2b4/0x790 net/bridge/netfilter/ebtables.c:2317
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline]
caused by a copy-to-user with a too-large "*len" value.
This adds a argument check on *len just like in the non-compat version
of the handler.
Before the "Fixes" commit, the reproducer fails with -EINVAL as
expected:
1. core calls the "compat" getsockopt version
2. compat getsockopt version detects the *len value is possibly
in 64-bit layout (*len != compat_len)
3. compat getsockopt version delegates everything to native getsockopt
version
4. native getsockopt rejects invalid *len
-> compat handler only sees len == sizeof(compat_struct) for GET_ENTRIES.
After the refactor, event sequence is:
1. getsockopt calls "compat" version (len != native_len)
2. compat version attempts to copy *len bytes, where *len is random
value from userspace
Fixes:
|
||
|---|---|---|
| .. | ||
| netfilter | ||
| Kconfig | ||
| Makefile | ||
| br.c | ||
| br_arp_nd_proxy.c | ||
| br_device.c | ||
| br_fdb.c | ||
| br_forward.c | ||
| br_if.c | ||
| br_input.c | ||
| br_ioctl.c | ||
| br_mdb.c | ||
| br_mrp.c | ||
| br_mrp_netlink.c | ||
| br_mrp_switchdev.c | ||
| br_multicast.c | ||
| br_netfilter_hooks.c | ||
| br_netfilter_ipv6.c | ||
| br_netlink.c | ||
| br_netlink_tunnel.c | ||
| br_nf_core.c | ||
| br_private.h | ||
| br_private_mrp.h | ||
| br_private_stp.h | ||
| br_private_tunnel.h | ||
| br_stp.c | ||
| br_stp_bpdu.c | ||
| br_stp_if.c | ||
| br_stp_timer.c | ||
| br_switchdev.c | ||
| br_sysfs_br.c | ||
| br_sysfs_if.c | ||
| br_vlan.c | ||
| br_vlan_options.c | ||
| br_vlan_tunnel.c | ||