[RHEL7,COMMIT] netfilter: ctnetlink: add a range check for l3/l4 protonum

Submitted by Vasily Averin on Sept. 11, 2020, 9:42 a.m.

Details

Message ID 202009110942.08B9gSff002436@vz7build.vvs.sw.ru
State New
Series "ms/netfilter: nat: add a range check for l3/l4 protonum"
Headers show

Commit Message

Vasily Averin Sept. 11, 2020, 9:42 a.m.
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.20
------>
commit fead384e032bb1eb4763d2a1fbd4d94943edab5b
Author: Will McVicker <willmcvicker@google.com>
Date:   Fri Sep 11 12:42:28 2020 +0300

    netfilter: ctnetlink: add a range check for l3/l4 protonum
    
    The indexes to the nf_nat_l[34]protos arrays come from userspace. So
    check the tuple's family, e.g. l3num, when creating the conntrack in
    order to prevent an OOB memory access during setup.  Here is an example
    kernel panic on 4.14.180 when userspace passes in an index greater than
    NFPROTO_NUMPROTO.
    
    Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
    Modules linked in:...
    Process poc (pid: 5614, stack limit = 0x00000000a3933121)
    CPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O
    4.14.180-g051355490483
    Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc.
    MSM
    task: 000000002a3dfffe task.stack: 00000000a3933121
    pc : __cfi_check_fail+0x1c/0x24
    lr : __cfi_check_fail+0x1c/0x24
    ...
    Call trace:
    __cfi_check_fail+0x1c/0x24
    name_to_dev_t+0x0/0x468
    nfnetlink_parse_nat_setup+0x234/0x258
    ctnetlink_parse_nat_setup+0x4c/0x228
    ctnetlink_new_conntrack+0x590/0xc40
    nfnetlink_rcv_msg+0x31c/0x4d4
    netlink_rcv_skb+0x100/0x184
    nfnetlink_rcv+0xf4/0x180
    netlink_unicast+0x360/0x770
    netlink_sendmsg+0x5a0/0x6a4
    ___sys_sendmsg+0x314/0x46c
    SyS_sendmsg+0xb4/0x108
    el0_svc_naked+0x34/0x38
    
    This crash is not happening since 5.4+, however, ctnetlink still
    allows for creating entries with unsupported layer 3 protocol number.
    
    Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for
    nf_conntrack")
    Signed-off-by: Will McVicker <willmcvicker@google.com>
    
    backported version of mainline 1cc5ef91d2ff94d
    Fixes CVE-2020-25211
    https://jira.sw.ru/browse/PSBM-107823
    Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
---
 net/netfilter/nf_conntrack_netlink.c | 2 ++
 1 file changed, 2 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 30fd8b1..04e8ada 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1001,6 +1001,8 @@  ctnetlink_parse_tuple(const struct nlattr * const cda[],
 	if (!tb[CTA_TUPLE_IP])
 		return -EINVAL;
 
+	if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
+		return -EOPNOTSUPP;
 	tuple->src.l3num = l3num;
 
 	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);