diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-03-02 07:19:05 -0600 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-03-02 07:19:05 -0600 |
commit | 0e73a86b9138a99816a81d6a6ec202b9d0b01f1b (patch) | |
tree | e3381ce9f8a0192b5eb9992e1c3d64b4c6b814e9 | |
parent | beca8c749b4ca7fc31990d2c2f49668e857027f3 (diff) | |
download | kernel-0e73a86b9138a99816a81d6a6ec202b9d0b01f1b.tar.gz kernel-0e73a86b9138a99816a81d6a6ec202b9d0b01f1b.tar.xz kernel-0e73a86b9138a99816a81d6a6ec202b9d0b01f1b.zip |
Fix CVE-2018-1065 (rhbz 1547824 1547831)
-rw-r--r-- | 0001-netfilter-add-back-stackpointer-size-checks.patch | 84 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 90 insertions, 0 deletions
diff --git a/0001-netfilter-add-back-stackpointer-size-checks.patch b/0001-netfilter-add-back-stackpointer-size-checks.patch new file mode 100644 index 000000000..1bf809aa1 --- /dev/null +++ b/0001-netfilter-add-back-stackpointer-size-checks.patch @@ -0,0 +1,84 @@ +From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Wed, 7 Feb 2018 13:46:25 +0100 +Subject: [PATCH] netfilter: add back stackpointer size checks + +The rationale for removing the check is only correct for rulesets +generated by ip(6)tables. + +In iptables, a jump can only occur to a user-defined chain, i.e. +because we size the stack based on number of user-defined chains we +cannot exceed stack size. + +However, the underlying binary format has no such restriction, +and the validation step only ensures that the jump target is a +valid rule start point. + +IOW, its possible to build a rule blob that has no user-defined +chains but does contain a jump. + +If this happens, no jump stack gets allocated and crash occurs +because no jumpstack was allocated. + +Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") +Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/ipv4/netfilter/arp_tables.c | 4 ++++ + net/ipv4/netfilter/ip_tables.c | 7 ++++++- + net/ipv6/netfilter/ip6_tables.c | 4 ++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 4ffe302f9b82..e3e420f3ba7b 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb, + } + if (table_base + v + != arpt_next_entry(e)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; + } + +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 9a71f3149507..e38395a8dcf2 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb, + continue; + } + if (table_base + v != ipt_next_entry(e) && +- !(e->ip.flags & IPT_F_GOTO)) ++ !(e->ip.flags & IPT_F_GOTO)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; ++ } + + e = get_entry(table_base, v); + continue; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index af4c917e0836..62358b93bbac 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb, + } + if (table_base + v != ip6t_next_entry(e) && + !(e->ipv6.flags & IP6T_F_GOTO)) { ++ if (unlikely(stackidx >= private->stacksize)) { ++ verdict = NF_DROP; ++ break; ++ } + jumpstack[stackidx++] = e; + } + +-- +2.14.3 + diff --git a/kernel.spec b/kernel.spec index 75110202c..b73b73f7a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -633,6 +633,9 @@ Patch653: CVE-2018-1000026.patch # rhbz 1549316 Patch654: 0001-ipmi_si-Fix-error-handling-of-platform-device.patch +# CVE-2018-1065 rhbz 1547824 1547831 +Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch + # END OF PATCH DEFINITIONS %endif @@ -1931,6 +1934,9 @@ fi # # %changelog +* Fri Mar 02 2018 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2018-1065 (rhbz 1547824 1547831) + * Wed Feb 28 2018 Laura Abbott <labbott@redhat.com> - 4.15.7-200 - Linux v4.15.7 - Fix IPMI crash (rhbz 1549316) |