Commit 28ce8495 authored Aug 28, 2023 by Wander Lairson Costa Committed by Greg Kroah-Hartman Sep 23, 2023

netfilter: xt_u32: validate user space input



commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream.

The xt_u32 module doesn't validate the fields in the xt_u32 structure.
An attacker may take advantage of this to trigger an OOB read by setting
the size fields with a value beyond the arrays boundaries.

Add a checkentry function to validate the structure.

This was originally reported by the ZDI project (ZDI-CAN-18408).

Fixes: 1b50b8a3 ("[NETFILTER]: Add u32 match")
Cc: stable@vger.kernel.org
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 109e8305

net/netfilter/xt_u32.c

+21 −0

Original line number	Diff line number	Diff line
		@@ -96,11 +96,32 @@ static bool u32_mt(const struct sk_buff skb, struct xt_action_param par)
		return ret ^ data->invert;
		}

		static int u32_mt_checkentry(const struct xt_mtchk_param *par)
		{
		const struct xt_u32 *data = par->matchinfo;
		const struct xt_u32_test *ct;
		unsigned int i;

		if (data->ntests > ARRAY_SIZE(data->tests))
		return -EINVAL;

		for (i = 0; i < data->ntests; ++i) {
		ct = &data->tests[i];

		if (ct->nnums > ARRAY_SIZE(ct->location) \|\|
		ct->nvalues > ARRAY_SIZE(ct->value))
		return -EINVAL;
		}

		return 0;
		}

		static struct xt_match xt_u32_mt_reg __read_mostly = {
		.name = "u32",
		.revision = 0,
		.family = NFPROTO_UNSPEC,
		.match = u32_mt,
		.checkentry = u32_mt_checkentry,
		.matchsize = sizeof(struct xt_u32),
		.me = THIS_MODULE,
		};