[NETFILTER]: Fix possible overflow in netfilters do_replace()

netfilter's do_replace() can overflow on addition within SMP_ALIGN() and/or on multiplication by NR_CPUS, resulting in a buffer overflow on the copy_from_user(). In practice, the overflow on addition is triggerable on all systems, whereas the multiplication one might require much physical memory to be present due to the check above. Either is sufficient to overwrite arbitrary amounts of kernel memory. I really hate adding the same check to all 4 versions of do_replace(), but the code is duplicate... Found by Solar Designer during security audit of OpenVZ.org Signed-Off-By: Kirill Korotaev <dev@openvz.org> Signed-Off-By: Solar Designer <solar@openwall.com> Signed-off-by: Patrck McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Kirill Korotaev <dev@openvz.org> 2006-02-04 05:16:56 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-02-05 02:51:25 -0500
commit: ee4bb818ae35f68d1f848eae0a7b150a38eb4168 (patch)
tree: 85a6ba60fc5782d77779f466f1ad5f2ec4330914 /net
parent: df4e9574a36748c3a4d9b03ffca6b42321a797a9 (diff)
4 files changed, 28 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 00729b3604f8..cbd4020cc84d 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len)
                BUGPRINT("Entries_size never zero\n");
                return -EINVAL;
        }
+        /* overflow check */
+        if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
+                        SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
+                return -ENOMEM;
+        if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+                return -ENOMEM;
        countersize = COUNTER_OFFSET(tmp.nentries) * 
                                        (highest_possible_processor_id()+1);
        newinfo = (struct ebt_table_info *)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index afe3d8f8177d..dd1048be8a01 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -807,6 +807,13 @@ static int do_replace(void __user *user, unsigned int len)
        if (len != sizeof(tmp) + tmp.size)
                return -ENOPROTOOPT;
+        /* overflow check */
+        if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
+                        SMP_CACHE_BYTES)
+                return -ENOMEM;
+        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+                return -ENOMEM;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
                return -ENOMEM;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2371b2062c2d..16f47c675fef 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -921,6 +921,13 @@ do_replace(void __user *user, unsigned int len)
        if (len != sizeof(tmp) + tmp.size)
                return -ENOPROTOOPT;
+        /* overflow check */
+        if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
+                        SMP_CACHE_BYTES)
+                return -ENOMEM;
+        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+                return -ENOMEM;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
                return -ENOMEM;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 847068fd3367..74ff56c322f4 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len)
        if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
                return -EFAULT;
+        /* overflow check */
+        if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
+                        SMP_CACHE_BYTES)
+                return -ENOMEM;
+        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+                return -ENOMEM;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
                return -ENOMEM;
author	Kirill Korotaev <dev@openvz.org>	2006-02-04 05:16:56 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-02-05 02:51:25 -0500
commit	ee4bb818ae35f68d1f848eae0a7b150a38eb4168 (patch)
tree	85a6ba60fc5782d77779f466f1ad5f2ec4330914 /net
parent	df4e9574a36748c3a4d9b03ffca6b42321a797a9 (diff)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 00729b3604f8..cbd4020cc84d 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c
@@ -934,6 +934,13 @@ static int do_replace(void __user *user, unsigned int len)
934	BUGPRINT("Entries_size never zero\n");	934	BUGPRINT("Entries_size never zero\n");
935	return -EINVAL;	935	return -EINVAL;
936	}	936	}
		937	/* overflow check */
		938	if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS -
		939	SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
		940	return -ENOMEM;
		941	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
		942	return -ENOMEM;
		943
937	countersize = COUNTER_OFFSET(tmp.nentries) *	944	countersize = COUNTER_OFFSET(tmp.nentries) *
938	(highest_possible_processor_id()+1);	945	(highest_possible_processor_id()+1);
939	newinfo = (struct ebt_table_info *)	946	newinfo = (struct ebt_table_info *)


diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index afe3d8f8177d..dd1048be8a01 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -807,6 +807,13 @@ static int do_replace(void __user *user, unsigned int len)
807	if (len != sizeof(tmp) + tmp.size)	807	if (len != sizeof(tmp) + tmp.size)
808	return -ENOPROTOOPT;	808	return -ENOPROTOOPT;
809		809
		810	/* overflow check */
		811	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
		812	SMP_CACHE_BYTES)
		813	return -ENOMEM;
		814	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
		815	return -ENOMEM;
		816
810	newinfo = xt_alloc_table_info(tmp.size);	817	newinfo = xt_alloc_table_info(tmp.size);
811	if (!newinfo)	818	if (!newinfo)
812	return -ENOMEM;	819	return -ENOMEM;


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 2371b2062c2d..16f47c675fef 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -921,6 +921,13 @@ do_replace(void __user *user, unsigned int len)
921	if (len != sizeof(tmp) + tmp.size)	921	if (len != sizeof(tmp) + tmp.size)
922	return -ENOPROTOOPT;	922	return -ENOPROTOOPT;
923		923
		924	/* overflow check */
		925	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
		926	SMP_CACHE_BYTES)
		927	return -ENOMEM;
		928	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
		929	return -ENOMEM;
		930
924	newinfo = xt_alloc_table_info(tmp.size);	931	newinfo = xt_alloc_table_info(tmp.size);
925	if (!newinfo)	932	if (!newinfo)
926	return -ENOMEM;	933	return -ENOMEM;


diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 847068fd3367..74ff56c322f4 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -978,6 +978,13 @@ do_replace(void __user *user, unsigned int len)
978	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)	978	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
979	return -EFAULT;	979	return -EFAULT;
980		980
		981	/* overflow check */
		982	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
		983	SMP_CACHE_BYTES)
		984	return -ENOMEM;
		985	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
		986	return -ENOMEM;
		987
981	newinfo = xt_alloc_table_info(tmp.size);	988	newinfo = xt_alloc_table_info(tmp.size);
982	if (!newinfo)	989	if (!newinfo)
983	return -ENOMEM;	990	return -ENOMEM;