WSL2-Linux-Kernel/net/bridge
Paolo Abeni 94c752f999 netfilter: ebtables: handle string from userspace with care
strlcpy() can't be safely used on a user-space provided string,
as it can try to read beyond the buffer's end, if the latter is
not NULL terminated.

Leveraging the above, syzbot has been able to trigger the following
splat:

BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
[inline]
BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
net/bridge/netfilter/ebtables.c:1957 [inline]
BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
net/bridge/netfilter/ebtables.c:2059 [inline]
BUG: KASAN: stack-out-of-bounds in size_entry_mwt
net/bridge/netfilter/ebtables.c:2155 [inline]
BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
net/bridge/netfilter/ebtables.c:2194
Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504

CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
  print_address_description+0x6c/0x20b mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
  check_memory_region_inline mm/kasan/kasan.c:260 [inline]
  check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
  memcpy+0x37/0x50 mm/kasan/kasan.c:303
  strlcpy include/linux/string.h:300 [inline]
  compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
  ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
  size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
  compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
  compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
  compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
  compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
  compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
  compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
  inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
  compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
  compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
  __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
  __do_compat_sys_setsockopt net/compat.c:416 [inline]
  __se_compat_sys_setsockopt net/compat.c:413 [inline]
  __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
  do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
  do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fb3cb9
RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Fix the issue replacing the unsafe function with strscpy() and
taking care of possible errors.

Fixes: 81e675c227 ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-17 13:48:48 +02:00
..
netfilter netfilter: ebtables: handle string from userspace with care 2018-05-17 13:48:48 +02:00
Kconfig
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
br.c net: bridge: disable bridge MTU auto tuning if it was set manually 2018-03-31 22:19:00 -04:00
br_arp_nd_proxy.c bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports 2017-10-08 21:12:04 -07:00
br_device.c net: bridge: disable bridge MTU auto tuning if it was set manually 2018-03-31 22:19:00 -04:00
br_fdb.c net: bridge: Fix uninitialized error in br_fdb_sync_static() 2018-02-01 09:47:37 -05:00
br_forward.c bridge: add new BR_NEIGH_SUPPRESS port flag to suppress arp and nd flood 2017-10-08 21:12:04 -07:00
br_if.c bridge: check iface upper dev when setting master via ioctl 2018-04-29 21:08:02 -04:00
br_input.c net: bridge: Rename mglist to host_joined 2017-11-10 13:41:40 +09:00
br_ioctl.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_mdb.c net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
br_multicast.c net: bridge: Send notification when host join/leaves a group 2017-11-10 13:41:40 +09:00
br_netfilter_hooks.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
br_netfilter_ipv6.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
br_netlink.c net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2017-12-18 13:29:01 -05:00
br_netlink_tunnel.c bridge: netlink: make setlink/dellink notifications more accurate 2017-10-29 11:03:43 +09:00
br_nf_core.c xfrm: Move dst->path into struct xfrm_dst 2017-11-30 09:54:26 -05:00
br_private.h net: bridge: disable bridge MTU auto tuning if it was set manually 2018-03-31 22:19:00 -04:00
br_private_stp.h net: bridge: add helper to set topology change 2016-12-10 21:27:23 -05:00
br_private_tunnel.h bridge: netlink: make setlink/dellink notifications more accurate 2017-10-29 11:03:43 +09:00
br_stp.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_stp_bpdu.c net: introduce __skb_put_[zero, data, u8] 2017-06-20 13:30:14 -04:00
br_stp_if.c net: bridge: add notifications for the bridge dev on vlan change 2017-11-02 15:53:40 +09:00
br_stp_timer.c net: bridge: Convert timers to use timer_setup() 2017-11-03 15:42:49 +09:00
br_switchdev.c net: bridge: use rhashtable for fdbs 2017-12-13 15:10:01 -05:00
br_sysfs_br.c net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
br_sysfs_if.c net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
br_vlan.c bridge: Fix VLAN reference count problem 2018-02-26 15:15:53 -05:00
br_vlan_tunnel.c bridge: vlan_tunnel: explicitly reset metadata attrs to NULL on failure 2017-02-17 13:33:41 -05:00