git.monstr.eu Git - linux-2.6-microblaze.git/commit

author	Willem de Bruijn <willemb@google.com>
	Tue, 9 May 2017 20:17:37 +0000 (16:17 -0400)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 15 May 2017 10:51:38 +0000 (12:51 +0200)
commit	324318f0248c31be8a08984146e7e4dd7cdd091d
tree	8d9394a19e3fd3891198257b24269d28a55328a8	tree \| snapshot
parent	ff1e4300cf69bebd7d61741475812ba13cc69e31	commit \| diff

netfilter: xtables: zero padding in data_to_user

When looking up an iptables rule, the iptables binary compares the
aligned match and target data (XT_ALIGN). In some cases this can
exceed the actual data size to include padding bytes.

Before commit f77bc5b23fb1 ("iptables: use match, target and data
copy_to_user helpers") the malloc()ed bytes were overwritten by the
kernel with kzalloced contents, zeroing the padding and making the
comparison succeed. After this patch, the kernel copies and clears
only data, leaving the padding bytes undefined.

Extend the clear operation from data size to aligned data size to
include the padding bytes, if any.

Padding bytes can be observed in both match and target, and the bug
triggered, by issuing a rule with match icmp and target ACCEPT:

iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT

Fixes: f77bc5b23fb1 ("iptables: use match, target and data copy_to_user helpers")
Reported-by: Paul Moore <pmoore@redhat.com>
Reported-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/linux/netfilter/x_tables.h		diff \| blob \| history
net/bridge/netfilter/ebtables.c		diff \| blob \| history
net/netfilter/x_tables.c		diff \| blob \| history