CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387)

kernel.spec

@@ -616,6 +616,9 @@ Patch649: perf-tools-Fix-python-extension-build.patch
 #rhbz 1316136
 Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
 
+#CVE-2016-3135 rhbz 1317386 1317387
+Patch664: netfilter-x_tables-check-for-size-overflow.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2137,6 +2140,9 @@ fi
 #
 # 
 %changelog
+* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387)
+
 * Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Add patch for ICP DAS I-756xU devices (rhbz 1316136)
 

netfilter-x_tables-check-for-size-overflow.patch

@@ -0,0 +1,31 @@
+Subject:    [PATCH nf] netfilter: x_tables: check for size overflow
+From:       Florian Westphal <fw () strlen ! de>
+Date:       2016-03-10 0:56:23
+
+Ben Hawkes says:
+ integer overflow in xt_alloc_table_info, which on 32-bit systems can
+ lead to small structure allocation and a copy_from_user based heap
+ corruption.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ net/netfilter/x_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index c8a0b7d..17a9a9f 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
+ 	struct xt_table_info *info = NULL;
+ 	size_t sz = sizeof(*info) + size;
+ 
++	if (sz < sizeof(*info))
++		return NULL;
++
+ 	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+ 	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+ 		return NULL;
+-- 
+2.4.10