linux/net
Phil Turnbull c58d6c9368 netfilter: nfnetlink: correctly validate length of batch messages
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.

The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.

If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:

    [   41.455421] ==================================================================
    [   41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
    [   41.456431] Read of size 4294967280 by task a.out/987
    [   41.456431] =============================================================================
    [   41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    [   41.456431] -----------------------------------------------------------------------------
    ...
    [   41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00  ................
    [   41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00   ...............
    [   41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05  .......@EV."3...
    [   41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb  ................
                                            ^^ start of batch nlmsg with
                                               nlmsg_len=4294967280
    ...
    [   41.456431] Memory state around the buggy address:
    [   41.456431]  ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   41.456431]  ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [   41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
    [   41.456431]                                ^
    [   41.456431]  ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [   41.456431]  ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
    [   41.456431] ==================================================================

Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.

CAP_NET_ADMIN is required to trigger the bugs.

Fixes: 9ea2aa8b7d ("netfilter: nfnetlink: validate nfnetlink header from batch")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-02-08 12:56:54 +01:00
..
6lowpan 6lowpan: fix debugfs interface entry name 2015-12-20 08:21:00 +01:00
9p ... and a couple in net/9p 2016-01-04 10:29:17 -05:00
802
8021q net: Rename NETIF_F_ALL_CSUM to NETIF_F_CSUM_MASK 2015-12-15 16:50:08 -05:00
appletalk
atm net: Generalise wq_has_sleeper helper 2015-11-30 14:47:33 -05:00
ax25 net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
batman-adv batman-adv: Drop immediate orig_node free function 2016-01-16 22:50:00 +08:00
bluetooth Bluetooth: Fix incorrect removing of IRKs 2016-01-29 11:47:24 +01:00
bridge switchdev: Require RTNL mutex to be held when sending FDB notifications 2016-01-28 16:21:31 -08:00
caif net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
can can: avoid using timeval for uapi 2015-10-13 17:42:34 +02:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2015-11-13 09:24:40 -08:00
core gro: Make GRO aware of lightweight tunnels. 2016-01-20 18:48:38 -08:00
dcb net/dcb: make dcbnl.c explicitly non-modular 2015-10-09 07:52:27 -07:00
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-12-03 21:09:12 -05:00
decnet net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
dns_resolver net: dns_resolver: convert time_t to time64_t 2015-11-18 16:27:46 -05:00
dsa dsa: Register netdev before phy 2016-01-07 14:31:26 -05:00
ethernet net: Add eth_platform_get_mac_address() helper. 2016-01-06 16:31:56 -05:00
hsr net/hsr: fix a warning message 2015-11-23 14:56:15 -05:00
ieee802154 inet: kill unused skb_free op 2016-01-05 22:25:57 -05:00
ipv4 tcp: avoid cwnd undo after receiving ECN 2016-01-29 23:03:56 -08:00
ipv6 netfilter: conntrack: resched in nf_ct_iterate_cleanup 2016-02-01 00:15:26 +01:00
ipx
irda irda: fix a potential use-after-free in ircomm_param_request 2016-01-29 22:56:46 -08:00
iucv af_iucv: Validate socket address length in iucv_sock_bind() 2016-01-19 14:21:08 -05:00
key af_key: fix two typos 2015-10-23 03:05:19 -07:00
l2tp l2tp: rely on ppp layer for skb scrubbing 2016-01-04 16:45:24 -05:00
l3mdev net: Add netif_is_l3_slave 2015-10-07 04:27:43 -07:00
lapb
llc tcp: fix recv with flags MSG_WAITALL | MSG_PEEK 2015-07-27 01:06:53 -07:00
mac80211 mac80211: Requeue work after scan complete for all VIF types. 2016-01-26 11:27:39 +01:00
mac802154 mac802154: constify ieee802154_llsec_ops structure 2016-01-04 20:40:41 +01:00
mpls Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-12-17 22:08:28 -05:00
netfilter netfilter: nfnetlink: correctly validate length of batch messages 2016-02-08 12:56:54 +01:00
netlabel
netlink netlink: not trim skb for mmaped socket when dump 2016-01-29 20:25:17 -08:00
netrom
nfc NFC 4.5 pull request 2016-01-04 21:48:15 -05:00
openvswitch ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack 2016-01-18 12:09:45 -05:00
packet packet: Allow packets with only a header (but no payload) 2015-11-29 22:17:17 -05:00
phonet phonet: properly unshare skbs in phonet_rcv() 2016-01-12 12:05:38 -05:00
rds RDS: don't pretend to use cpu notifiers 2015-12-22 15:23:05 -05:00
rfkill rfkill: fix rfkill_fop_read wait_event usage 2016-01-26 11:32:05 +01:00
rose
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-01-12 18:57:02 -08:00
sched net_sched: drr: check for NULL pointer in drr_dequeue 2016-01-29 17:26:44 -08:00
sctp sctp: remove the dead field of sctp_transport 2016-01-28 15:59:32 -08:00
sunrpc Smaller bugfixes and cleanup, including a fix for a failures of 2016-01-15 12:49:44 -08:00
switchdev switchdev: Require RTNL mutex to be held when sending FDB notifications 2016-01-28 16:21:31 -08:00
tipc tipc: fix connection abort during subscription cancel 2016-01-29 15:14:21 -05:00
unix af_unix: fix struct pid memory leak 2016-01-24 22:04:49 -08:00
vmw_vsock Revert "Merge branch 'vsock-virtio'" 2015-12-08 21:55:49 -05:00
wimax net:wimax: Fix doucble word "the the" in networking.xml 2015-08-09 22:43:52 -07:00
wireless regulatory: fix world regulatory domain data 2016-01-14 11:10:13 +01:00
x25
xfrm net: preserve IP control block during GSO segmentation 2016-01-15 14:35:24 -05:00
compat.c
Kconfig net, sched: add clsact qdisc 2016-01-10 22:13:15 -05:00
Makefile net: Introduce L3 Master device abstraction 2015-09-29 20:40:32 -07:00
socket.c kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
sysctl_net.c net: sysctl: fix a kmemleak warning 2015-10-23 06:22:08 -07:00