Commit a919af8f authored Feb 07, 2018 by Florian Westphal Committed by Srinivasa Rao Kuppala Jul 05, 2018

netfilter: add back stackpointer size checks



The rationale for removing the check is only correct for rulesets
generated by ip(6)tables.

In iptables, a jump can only occur to a user-defined chain, i.e.
because we size the stack based on number of user-defined chains we
cannot exceed stack size.

However, the underlying binary format has no such restriction,
and the validation step only ensures that the jump target is a
valid rule start point.

IOW, its possible to build a rule blob that has no user-defined
chains but does contain a jump.

If this happens, no jump stack gets allocated and crash occurs
because no jumpstack was allocated.

Fixes: 7814b6ec ("netfilter: xtables: don't save/restore jumpstack offset")
Reported-by:  <syzbot+e783f671527912cd9403@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8
[srkupp@codeaurora.org: Resolved minor conflict]
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Change-Id: I417d9164f95aae0d4ca2164a26d5d2fb7ec1ab10

parent cb2e955c

net/ipv4/netfilter/arp_tables.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -329,6 +329,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
		}
		if (table_base + v
		!= arpt_next_entry(e)) {
		if (unlikely(stackidx >= private->stacksize)) {
		verdict = NF_DROP;
		break;
		}
		jumpstack[stackidx++] = e;
		}

net/ipv4/netfilter/ip_tables.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -408,9 +408,11 @@ ipt_do_table(struct sk_buff *skb,
		}
		if (table_base + v != ipt_next_entry(e) &&
		!(e->ip.flags & IPT_F_GOTO)) {
		if (unlikely(stackidx >= private->stacksize)) {
		verdict = NF_DROP;
		break;
		}
		jumpstack[stackidx++] = e;
		pr_debug("Pushed %p into pos %u\n",
		e, stackidx - 1);
		}

		e = get_entry(table_base, v);

net/ipv6/netfilter/ip6_tables.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -429,6 +429,10 @@ ip6t_do_table(struct sk_buff *skb,
		}
		if (table_base + v != ip6t_next_entry(e) &&
		!(e->ipv6.flags & IP6T_F_GOTO)) {
		if (unlikely(stackidx >= private->stacksize)) {
		verdict = NF_DROP;
		break;
		}
		jumpstack[stackidx++] = e;
		}