mirror of
https://github.com/torvalds/linux.git
synced 2024-12-11 21:52:04 +00:00
e608f631f0
syzbot reported following splat:
BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
[..]
Because padding isn't considered during computation of ->buf_user_offset,
"total" is decremented by fewer bytes than it should.
Therefore, the first part of
if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
will pass, -- it should not have. This causes oob access:
entry->next_offset is past the vmalloced size.
Reject padding and check that computed user offset (sum of ebt_entry
structure plus all individual matches/watchers/targets) is same
value that userspace gave us as the offset of the next entry.
Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
Fixes:
|
||
---|---|---|
.. | ||
ebt_802_3.c | ||
ebt_among.c | ||
ebt_arp.c | ||
ebt_arpreply.c | ||
ebt_dnat.c | ||
ebt_ip6.c | ||
ebt_ip.c | ||
ebt_limit.c | ||
ebt_log.c | ||
ebt_mark_m.c | ||
ebt_mark.c | ||
ebt_nflog.c | ||
ebt_pkttype.c | ||
ebt_redirect.c | ||
ebt_snat.c | ||
ebt_stp.c | ||
ebt_vlan.c | ||
ebtable_broute.c | ||
ebtable_filter.c | ||
ebtable_nat.c | ||
ebtables.c | ||
Kconfig | ||
Makefile | ||
nf_conntrack_bridge.c | ||
nf_log_bridge.c | ||
nft_meta_bridge.c | ||
nft_reject_bridge.c |