Skip to content

Commit 97840cb

Browse files
ummakynesummakynes
committed
netfilter: nfnetlink: fix insufficient validation in nfnetlink_bind
Make sure the netlink group exists, otherwise you can trigger an out of bound array memory access from the netlink_bind() path. This splat can only be triggered only by superuser. [ 180.203600] UBSan: Undefined behaviour in ../net/netfilter/nfnetlink.c:467:28 [ 180.204249] index 9 is out of range for type 'int [9]' [ 180.204697] CPU: 0 PID: 1771 Comm: trinity-main Not tainted 3.18.0-rc4-mm1+ #122 [ 180.205365] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org +04/01/2014 [ 180.206498] 0000000000000018 0000000000000000 0000000000000009 ffff88007bdf7da8 [ 180.207220] ffffffff82b0ef5f 0000000000000092 ffffffff845ae2e0 ffff88007bdf7db8 [ 180.207887] ffffffff8199e489 ffff88007bdf7e18 ffffffff8199ea22 0000003900000000 [ 180.208639] Call Trace: [ 180.208857] dump_stack (lib/dump_stack.c:52) [ 180.209370] ubsan_epilogue (lib/ubsan.c:174) [ 180.209849] __ubsan_handle_out_of_bounds (lib/ubsan.c:400) [ 180.210512] nfnetlink_bind (net/netfilter/nfnetlink.c:467) [ 180.210986] netlink_bind (net/netlink/af_netlink.c:1483) [ 180.211495] SYSC_bind (net/socket.c:1541) Moreover, define the missing nf_tables and nf_acct multicast groups too. Reported-by: Andrey Ryabinin <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent feb91a0 commit 97840cb

File tree

1 file changed

+11
-1
lines changed

1 file changed

+11
-1
lines changed

net/netfilter/nfnetlink.c

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,8 @@ static const int nfnl_group2type[NFNLGRP_MAX+1] = {
4747
[NFNLGRP_CONNTRACK_EXP_NEW] = NFNL_SUBSYS_CTNETLINK_EXP,
4848
[NFNLGRP_CONNTRACK_EXP_UPDATE] = NFNL_SUBSYS_CTNETLINK_EXP,
4949
[NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP,
50+
[NFNLGRP_NFTABLES] = NFNL_SUBSYS_NFTABLES,
51+
[NFNLGRP_ACCT_QUOTA] = NFNL_SUBSYS_ACCT,
5052
};
5153

5254
void nfnl_lock(__u8 subsys_id)
@@ -464,7 +466,12 @@ static void nfnetlink_rcv(struct sk_buff *skb)
464466
static int nfnetlink_bind(int group)
465467
{
466468
const struct nfnetlink_subsystem *ss;
467-
int type = nfnl_group2type[group];
469+
int type;
470+
471+
if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX)
472+
return -EINVAL;
473+
474+
type = nfnl_group2type[group];
468475

469476
rcu_read_lock();
470477
ss = nfnetlink_get_subsys(type);
@@ -514,6 +521,9 @@ static int __init nfnetlink_init(void)
514521
{
515522
int i;
516523

524+
for (i = NFNLGRP_NONE + 1; i <= NFNLGRP_MAX; i++)
525+
BUG_ON(nfnl_group2type[i] == NFNL_SUBSYS_NONE);
526+
517527
for (i=0; i<NFNL_SUBSYS_COUNT; i++)
518528
mutex_init(&table[i].mutex);
519529

0 commit comments

Comments
 (0)