|
 |
b3ed2d |
From: Joel Savitz <jsavitz@redhat.com>
|
|
|
b3ed2d |
Subject: [KPATCH 7.9] netfilter: x_tables: kpatch fixes for CVE-2021-22555
|
|
|
b3ed2d |
Date: Wed, 28 Jul 2021 12:03:15 -0400
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Kernels:
|
|
|
b3ed2d |
3.10.0-1160.el7
|
|
|
b3ed2d |
3.10.0-1160.2.1.el7
|
|
|
b3ed2d |
3.10.0-1160.2.2.el7
|
|
|
b3ed2d |
3.10.0-1160.6.1.el7
|
|
|
b3ed2d |
3.10.0-1160.11.1.el7
|
|
|
b3ed2d |
3.10.0-1160.15.2.el7
|
|
|
b3ed2d |
3.10.0-1160.21.1.el7
|
|
|
b3ed2d |
3.10.0-1160.24.1.el7
|
|
|
b3ed2d |
3.10.0-1160.25.1.el7
|
|
|
b3ed2d |
3.10.0-1160.31.1.el7
|
|
|
b3ed2d |
3.10.0-1160.36.2.el7
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Changes since last build:
|
|
|
b3ed2d |
arches: x86_64 ppc64le
|
|
|
b3ed2d |
arp_tables.o: changed function: translate_compat_table
|
|
|
b3ed2d |
ip6_tables.o: changed function: translate_compat_table
|
|
|
b3ed2d |
ip_tables.o: changed function: translate_compat_table
|
|
|
b3ed2d |
x_tables.o: changed function: xt_compat_match_from_user
|
|
|
b3ed2d |
x_tables.o: changed function: xt_compat_target_from_user
|
|
|
b3ed2d |
---------------------------
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Kernels:
|
|
|
b3ed2d |
3.10.0-1160.el7
|
|
|
b3ed2d |
3.10.0-1160.2.1.el7
|
|
|
b3ed2d |
3.10.0-1160.2.2.el7
|
|
|
b3ed2d |
3.10.0-1160.6.1.el7
|
|
|
b3ed2d |
3.10.0-1160.11.1.el7
|
|
|
b3ed2d |
3.10.0-1160.15.2.el7
|
|
|
b3ed2d |
3.10.0-1160.21.1.el7
|
|
|
b3ed2d |
3.10.0-1160.24.1.el7
|
|
|
b3ed2d |
3.10.0-1160.25.1.el7
|
|
|
b3ed2d |
3.10.0-1160.31.1.el7
|
|
|
b3ed2d |
3.10.0-1160.36.2.el7
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Modifications: none
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/201
|
|
|
b3ed2d |
KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5642298
|
|
|
b3ed2d |
for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38448253
|
|
|
b3ed2d |
|
|
|
b3ed2d |
commit 06215319786b979bed0f5eb3138de0506db9d39f
|
|
|
b3ed2d |
Author: Florian Westphal <fwestpha@redhat.com>
|
|
|
b3ed2d |
Date: Fri Jul 9 11:42:55 2021 +0200
|
|
|
b3ed2d |
|
|
|
b3ed2d |
netfilter: x_tables: fix compat match/target pad out-of-bound write
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1980489
|
|
|
b3ed2d |
Upstream Status: commit b29c457a65114
|
|
|
b3ed2d |
CVE: CVE-2021-22555
|
|
|
b3ed2d |
|
|
|
b3ed2d |
commit b29c457a6511435960115c0f548c4360d5f4801d
|
|
|
b3ed2d |
Author: Florian Westphal <fw@strlen.de>
|
|
|
b3ed2d |
Date: Wed Apr 7 21:38:57 2021 +0200
|
|
|
b3ed2d |
|
|
|
b3ed2d |
netfilter: x_tables: fix compat match/target pad out-of-bound write
|
|
|
b3ed2d |
|
|
|
b3ed2d |
xt_compat_match/target_from_user doesn't check that zeroing the area
|
|
|
b3ed2d |
to start of next rule won't write past end of allocated ruleset blob.
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Remove this code and zero the entire blob beforehand.
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
|
|
|
b3ed2d |
Reported-by: Andy Nguyen <theflow@google.com>
|
|
|
b3ed2d |
Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
|
|
|
b3ed2d |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
b3ed2d |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Signed-off-by: Florian Westphal <fwestpha@redhat.com>
|
|
|
b3ed2d |
|
|
|
b3ed2d |
Signed-off-by: Joel Savitz <jsavitz@redhat.com>
|
|
|
b3ed2d |
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
b3ed2d |
Acked-by: Artem Savkov <asavkov@redhat.com>
|
|
|
b3ed2d |
Acked-by: Yannick Cote <ycote@redhat.com>
|
|
|
b3ed2d |
---
|
|
|
b3ed2d |
net/ipv4/netfilter/arp_tables.c | 2 ++
|
|
|
b3ed2d |
net/ipv4/netfilter/ip_tables.c | 2 ++
|
|
|
b3ed2d |
net/ipv6/netfilter/ip6_tables.c | 2 ++
|
|
|
b3ed2d |
net/netfilter/x_tables.c | 10 ++--------
|
|
|
b3ed2d |
4 files changed, 8 insertions(+), 8 deletions(-)
|
|
|
b3ed2d |
|
|
|
b3ed2d |
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
|
|
|
b3ed2d |
index 602d92697038..66ad3b4e194c 100644
|
|
|
b3ed2d |
--- a/net/ipv4/netfilter/arp_tables.c
|
|
|
b3ed2d |
+++ b/net/ipv4/netfilter/arp_tables.c
|
|
|
b3ed2d |
@@ -1364,6 +1364,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
|
|
b3ed2d |
if (!newinfo)
|
|
|
b3ed2d |
goto out_unlock;
|
|
|
b3ed2d |
|
|
|
b3ed2d |
+ memset(newinfo->entries, 0, size);
|
|
|
b3ed2d |
+
|
|
|
b3ed2d |
newinfo->number = compatr->num_entries;
|
|
|
b3ed2d |
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
|
|
|
b3ed2d |
newinfo->hook_entry[i] = info->hook_entry[i];
|
|
|
b3ed2d |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
|
|
|
b3ed2d |
index 3559f7ffa430..d9de653be67e 100644
|
|
|
b3ed2d |
--- a/net/ipv4/netfilter/ip_tables.c
|
|
|
b3ed2d |
+++ b/net/ipv4/netfilter/ip_tables.c
|
|
|
b3ed2d |
@@ -1622,6 +1622,8 @@ translate_compat_table(struct net *net,
|
|
|
b3ed2d |
if (!newinfo)
|
|
|
b3ed2d |
goto out_unlock;
|
|
|
b3ed2d |
|
|
|
b3ed2d |
+ memset(newinfo->entries, 0, size);
|
|
|
b3ed2d |
+
|
|
|
b3ed2d |
newinfo->number = compatr->num_entries;
|
|
|
b3ed2d |
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
|
|
b3ed2d |
newinfo->hook_entry[i] = compatr->hook_entry[i];
|
|
|
b3ed2d |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
|
|
|
b3ed2d |
index 1772a1797e79..d112bfc86aac 100644
|
|
|
b3ed2d |
--- a/net/ipv6/netfilter/ip6_tables.c
|
|
|
b3ed2d |
+++ b/net/ipv6/netfilter/ip6_tables.c
|
|
|
b3ed2d |
@@ -1626,6 +1626,8 @@ translate_compat_table(struct net *net,
|
|
|
b3ed2d |
if (!newinfo)
|
|
|
b3ed2d |
goto out_unlock;
|
|
|
b3ed2d |
|
|
|
b3ed2d |
+ memset(newinfo->entries, 0, size);
|
|
|
b3ed2d |
+
|
|
|
b3ed2d |
newinfo->number = compatr->num_entries;
|
|
|
b3ed2d |
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
|
|
b3ed2d |
newinfo->hook_entry[i] = compatr->hook_entry[i];
|
|
|
b3ed2d |
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
|
|
|
b3ed2d |
index 76e40ff48b10..affd08ce7df8 100644
|
|
|
b3ed2d |
--- a/net/netfilter/x_tables.c
|
|
|
b3ed2d |
+++ b/net/netfilter/x_tables.c
|
|
|
b3ed2d |
@@ -564,7 +564,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
|
|
b3ed2d |
{
|
|
|
b3ed2d |
const struct xt_match *match = m->u.kernel.match;
|
|
|
b3ed2d |
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
|
|
|
b3ed2d |
- int pad, off = xt_compat_match_offset(match);
|
|
|
b3ed2d |
+ int off = xt_compat_match_offset(match);
|
|
|
b3ed2d |
u_int16_t msize = cm->u.user.match_size;
|
|
|
b3ed2d |
char name[sizeof(m->u.user.name)];
|
|
|
b3ed2d |
|
|
|
b3ed2d |
@@ -574,9 +574,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
|
|
b3ed2d |
match->compat_from_user(m->data, cm->data);
|
|
|
b3ed2d |
else
|
|
|
b3ed2d |
memcpy(m->data, cm->data, msize - sizeof(*cm));
|
|
|
b3ed2d |
- pad = XT_ALIGN(match->matchsize) - match->matchsize;
|
|
|
b3ed2d |
- if (pad > 0)
|
|
|
b3ed2d |
- memset(m->data + match->matchsize, 0, pad);
|
|
|
b3ed2d |
|
|
|
b3ed2d |
msize += off;
|
|
|
b3ed2d |
m->u.user.match_size = msize;
|
|
|
b3ed2d |
@@ -913,7 +910,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
|
|
|
b3ed2d |
{
|
|
|
b3ed2d |
const struct xt_target *target = t->u.kernel.target;
|
|
|
b3ed2d |
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
|
|
|
b3ed2d |
- int pad, off = xt_compat_target_offset(target);
|
|
|
b3ed2d |
+ int off = xt_compat_target_offset(target);
|
|
|
b3ed2d |
u_int16_t tsize = ct->u.user.target_size;
|
|
|
b3ed2d |
char name[sizeof(t->u.user.name)];
|
|
|
b3ed2d |
|
|
|
b3ed2d |
@@ -923,9 +920,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
|
|
|
b3ed2d |
target->compat_from_user(t->data, ct->data);
|
|
|
b3ed2d |
else
|
|
|
b3ed2d |
memcpy(t->data, ct->data, tsize - sizeof(*ct));
|
|
|
b3ed2d |
- pad = XT_ALIGN(target->targetsize) - target->targetsize;
|
|
|
b3ed2d |
- if (pad > 0)
|
|
|
b3ed2d |
- memset(t->data + target->targetsize, 0, pad);
|
|
|
b3ed2d |
|
|
|
b3ed2d |
tsize += off;
|
|
|
b3ed2d |
t->u.user.target_size = tsize;
|
|
|
b3ed2d |
--
|
|
|
b3ed2d |
2.27.0
|
|
|
b3ed2d |
|
|
|
b3ed2d |
|