Fix CVE-2018-1065 (rhbz 1547824 1547831)
This commit is contained in:
parent
beca8c749b
commit
0e73a86b91
|
@ -0,0 +1,84 @@
|
|||
From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Wed, 7 Feb 2018 13:46:25 +0100
|
||||
Subject: [PATCH] netfilter: add back stackpointer size checks
|
||||
|
||||
The rationale for removing the check is only correct for rulesets
|
||||
generated by ip(6)tables.
|
||||
|
||||
In iptables, a jump can only occur to a user-defined chain, i.e.
|
||||
because we size the stack based on number of user-defined chains we
|
||||
cannot exceed stack size.
|
||||
|
||||
However, the underlying binary format has no such restriction,
|
||||
and the validation step only ensures that the jump target is a
|
||||
valid rule start point.
|
||||
|
||||
IOW, its possible to build a rule blob that has no user-defined
|
||||
chains but does contain a jump.
|
||||
|
||||
If this happens, no jump stack gets allocated and crash occurs
|
||||
because no jumpstack was allocated.
|
||||
|
||||
Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
|
||||
Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/ipv4/netfilter/arp_tables.c | 4 ++++
|
||||
net/ipv4/netfilter/ip_tables.c | 7 ++++++-
|
||||
net/ipv6/netfilter/ip6_tables.c | 4 ++++
|
||||
3 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
|
||||
index 4ffe302f9b82..e3e420f3ba7b 100644
|
||||
--- a/net/ipv4/netfilter/arp_tables.c
|
||||
+++ b/net/ipv4/netfilter/arp_tables.c
|
||||
@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
|
||||
}
|
||||
if (table_base + v
|
||||
!= arpt_next_entry(e)) {
|
||||
+ if (unlikely(stackidx >= private->stacksize)) {
|
||||
+ verdict = NF_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
jumpstack[stackidx++] = e;
|
||||
}
|
||||
|
||||
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
|
||||
index 9a71f3149507..e38395a8dcf2 100644
|
||||
--- a/net/ipv4/netfilter/ip_tables.c
|
||||
+++ b/net/ipv4/netfilter/ip_tables.c
|
||||
@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb,
|
||||
continue;
|
||||
}
|
||||
if (table_base + v != ipt_next_entry(e) &&
|
||||
- !(e->ip.flags & IPT_F_GOTO))
|
||||
+ !(e->ip.flags & IPT_F_GOTO)) {
|
||||
+ if (unlikely(stackidx >= private->stacksize)) {
|
||||
+ verdict = NF_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
jumpstack[stackidx++] = e;
|
||||
+ }
|
||||
|
||||
e = get_entry(table_base, v);
|
||||
continue;
|
||||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
|
||||
index af4c917e0836..62358b93bbac 100644
|
||||
--- a/net/ipv6/netfilter/ip6_tables.c
|
||||
+++ b/net/ipv6/netfilter/ip6_tables.c
|
||||
@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb,
|
||||
}
|
||||
if (table_base + v != ip6t_next_entry(e) &&
|
||||
!(e->ipv6.flags & IP6T_F_GOTO)) {
|
||||
+ if (unlikely(stackidx >= private->stacksize)) {
|
||||
+ verdict = NF_DROP;
|
||||
+ break;
|
||||
+ }
|
||||
jumpstack[stackidx++] = e;
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
|
@ -633,6 +633,9 @@ Patch653: CVE-2018-1000026.patch
|
|||
# rhbz 1549316
|
||||
Patch654: 0001-ipmi_si-Fix-error-handling-of-platform-device.patch
|
||||
|
||||
# CVE-2018-1065 rhbz 1547824 1547831
|
||||
Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1931,6 +1934,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Mar 02 2018 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2018-1065 (rhbz 1547824 1547831)
|
||||
|
||||
* Wed Feb 28 2018 Laura Abbott <labbott@redhat.com> - 4.15.7-200
|
||||
- Linux v4.15.7
|
||||
- Fix IPMI crash (rhbz 1549316)
|
||||
|
|
Loading…
Reference in New Issue