netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

stable inclusion from stable-v5.10.120 commit c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048 category: bugfix bugzilla: 186913 https://gitee.com/src-openeuler/kernel/issues/I5B69E CVE: CVE-2022-1972 -------------------------------- commit fecf31ee upstream. Add several sanity checks for nft_set_desc_concat_parse(): - validate desc->field_count not larger than desc->field_len array. - field length cannot be larger than desc->field_len (ie. U8_MAX) - total length of the concatenation cannot be larger than register array. Joint work with Florian Westphal. Fixes: f3a2181e ("netfilter: nf_tables: Support for sets with multiple ranged fields") Reported-by: <zhangziming.zzm@antgroup.com> Reviewed-by: N Stefano Brivio <sbrivio@redhat.com> Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
stable inclusion from stable-v5.10.120 commit c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048 category: bugfix bugzilla: 186913 https://gitee.com/src-openeuler/kernel/issues/I5B69E CVE: CVE-2022-1972 -------------------------------- commit fecf31ee upstream. Add several sanity checks for nft_set_desc_concat_parse(): - validate desc->field_count not larger than desc->field_len array. - field length cannot be larger than desc->field_len (ie. U8_MAX) - total length of the concatenation cannot be larger than register array. Joint work with Florian Westphal. Fixes: f3a2181e ("netfilter: nf_tables: Support for sets with multiple ranged fields") Reported-by: <zhangziming.zzm@antgroup.com> Reviewed-by: N Stefano Brivio <sbrivio@redhat.com> Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
c80fed6b · Pablo Neira Ayuso · Zheng Zengkai · bfe874c4 · c80fed6b
隐藏空白更改
内联并排

Showing with 13 addition and 4 deletion

net/netfilter/nf_tables_api.c net/netfilter/nf_tables_api.c +13 -4

未找到文件。
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4047,6 +4047,9 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr,
 	u32 len;
 	int err;
+	if (desc->field_count >= ARRAY_SIZE(desc->field_len))
+		return -E2BIG;
 	err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
 					  nft_concat_policy, NULL);
 	if (err < 0)
@@ -4056,9 +4059,8 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr,
 		return -EINVAL;
 	len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
+	if (!len || len > U8_MAX)
-	if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
+		return -EINVAL;
-		return -E2BIG;
 	desc->field_len[desc->field_count++] = len;
@@ -4069,7 +4071,8 @@ static int nft_set_desc_concat(struct nft_set_desc *desc,
 			       const struct nlattr *nla)
 {
 	struct nlattr *attr;
-	int rem, err;
+	u32 num_regs = 0;
+	int rem, err, i;
 	nla_for_each_nested(attr, nla, rem) {
 		if (nla_type(attr) != NFTA_LIST_ELEM)
@@ -4080,6 +4083,12 @@ static int nft_set_desc_concat(struct nft_set_desc *desc,
 			return err;
 	}
+	for (i = 0; i < desc->field_count; i++)
+		num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
+	if (num_regs > NFT_REG32_COUNT)
+		return -E2BIG;
 	return 0;
 }