Fix CVE-2018-1065 (rhbz 1547824 1547831)

2 files changed, 90 insertions, 0 deletions

diff --git a/0001-netfilter-add-back-stackpointer-size-checks.patch b/0001-netfilter-add-back-stackpointer-size-checks.patch
new file mode 100644
index 000000000..1bf809aa1
--- /dev/null
+++ b/0001-netfilter-add-back-stackpointer-size-checks.patch
@@ -0,0 +1,84 @@
+From 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Feb 2018 13:46:25 +0100
+Subject: [PATCH] netfilter: add back stackpointer size checks
+
+The rationale for removing the check is only correct for rulesets
+generated by ip(6)tables.
+
+In iptables, a jump can only occur to a user-defined chain, i.e.
+because we size the stack based on number of user-defined chains we
+cannot exceed stack size.
+
+However, the underlying binary format has no such restriction,
+and the validation step only ensures that the jump target is a
+valid rule start point.
+
+IOW, its possible to build a rule blob that has no user-defined
+chains but does contain a jump.
+
+If this happens, no jump stack gets allocated and crash occurs
+because no jumpstack was allocated.
+
+Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
+Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv4/netfilter/arp_tables.c | 4 ++++
+ net/ipv4/netfilter/ip_tables.c  | 7 ++++++-
+ net/ipv6/netfilter/ip6_tables.c | 4 ++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 4ffe302f9b82..e3e420f3ba7b 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
+ 			}
+ 			if (table_base + v
+ 			    != arpt_next_entry(e)) {
++				if (unlikely(stackidx >= private->stacksize)) {
++					verdict = NF_DROP;
++					break;
++				}
+ 				jumpstack[stackidx++] = e;
+ 			}
+
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 9a71f3149507..e38395a8dcf2 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb,
+ 				continue;
+ 			}
+ 			if (table_base + v != ipt_next_entry(e) &&
+-			    !(e->ip.flags & IPT_F_GOTO))
++			    !(e->ip.flags & IPT_F_GOTO)) {
++				if (unlikely(stackidx >= private->stacksize)) {
++					verdict = NF_DROP;
++					break;
++				}
+ 				jumpstack[stackidx++] = e;
++			}
+
+ 			e = get_entry(table_base, v);
+ 			continue;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index af4c917e0836..62358b93bbac 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb,
+ 			}
+ 			if (table_base + v != ip6t_next_entry(e) &&
+ 			    !(e->ipv6.flags & IP6T_F_GOTO)) {
++				if (unlikely(stackidx >= private->stacksize)) {
++					verdict = NF_DROP;
++					break;
++				}
+ 				jumpstack[stackidx++] = e;
+ 			}
+
+-- 
+2.14.3
+
diff --git a/kernel.spec b/kernel.spec
index 75110202c..b73b73f7a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -633,6 +633,9 @@ Patch653: CVE-2018-1000026.patch
 # rhbz 1549316
 Patch654: 0001-ipmi_si-Fix-error-handling-of-platform-device.patch
 
+# CVE-2018-1065 rhbz 1547824 1547831
+Patch655: 0001-netfilter-add-back-stackpointer-size-checks.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1931,6 +1934,9 @@ fi
 #
 #
 %changelog
+* Fri Mar 02 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-1065 (rhbz 1547824 1547831)
+
 * Wed Feb 28 2018 Laura Abbott <labbott@redhat.com> - 4.15.7-200
 - Linux v4.15.7
 - Fix IPMI crash (rhbz 1549316)