From b8c2b76bf8026457489948693638df321c680e7b Mon Sep 17 00:00:00 2001

From: Joel Savitz <jsavitz@redhat.com>

Date: Fri, 23 Jul 2021 11:26:01 -0400

Subject: [PATCH] netfilter: x_tables: kpatch fixes for CVE-2021-22555

Kernels:

4.18.0-305.el8

4.18.0-305.3.1.el8_4

4.18.0-305.7.1.el8_4

4.18.0-305.10.2.el8_4

Changes since last build:

arches: x86_64 ppc64le

arp_tables.o: changed function: translate_compat_table

ip6_tables.o: changed function: translate_compat_table

ip_tables.o: changed function: translate_compat_table

x_tables.o: changed function: xt_compat_match_from_user

x_tables.o: changed function: xt_compat_target_from_user

---------------------------

Kernels:

4.18.0-305.el8

4.18.0-305.3.1.el8_4

4.18.0-305.7.1.el8_4

4.18.0-305.10.2.el8_4

Modifications: none

Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/951

KT0: https://beaker.engineering.redhat.com/jobs/5611476 (PASS for x86_64 and queued for ppc64le)

for scratch Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38312105

commit a6f41b0d134d0ca62a46da0204f02018d69f19dd

Author: Florian Westphal <fwestpha@redhat.com>

Date:   Thu Apr 15 17:12:32 2021 +0200

    netfilter: x_tables: fix compat match/target pad out-of-bound write

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1980500

    Y-Commit: 67b5dd48280ef85610333da24be367188d0542cb

    O-Bugzilla: 1980501

    CVE: CVE-2021-22555

    Upstream Status: commit b29c457a65114

    commit b29c457a6511435960115c0f548c4360d5f4801d

    Author: Florian Westphal <fw@strlen.de>

    Date:   Wed Apr 7 21:38:57 2021 +0200

        netfilter: x_tables: fix compat match/target pad out-of-bound write

        xt_compat_match/target_from_user doesn't check that zeroing the area

        to start of next rule won't write past end of allocated ruleset blob.

        Remove this code and zero the entire blob beforehand.

        Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com

        Reported-by: Andy Nguyen <theflow@google.com>

        Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")

        Signed-off-by: Florian Westphal <fw@strlen.de>

        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

    Signed-off-by: Florian Westphal <fwestpha@redhat.com>

    Signed-off-by: Jan Stancek <jstancek@redhat.com>

Signed-off-by: Joel Savitz <jsavitz@redhat.com>

Acked-by: Artem Savkov <asavkov@redhat.com>

Acked-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 net/ipv4/netfilter/arp_tables.c |  2 ++

 net/ipv4/netfilter/ip_tables.c  |  2 ++

 net/ipv6/netfilter/ip6_tables.c |  2 ++

 net/netfilter/x_tables.c        | 10 ++--------

 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c

index ca20efe775ee4..d2ebbeaa9870b 100644

--- a/net/ipv4/netfilter/arp_tables.c

+++ b/net/ipv4/netfilter/arp_tables.c

@@ -1195,6 +1195,8 @@ static int translate_compat_table(struct net *net,

 	if (!newinfo)

 		goto out_unlock;

+	memset(newinfo->entries, 0, size);

+

 	newinfo->number = compatr->num_entries;

 	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {

 		newinfo->hook_entry[i] = compatr->hook_entry[i];

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c

index 4cdfb76b9aa8c..8d1545c3bf7b1 100644

--- a/net/ipv4/netfilter/ip_tables.c

+++ b/net/ipv4/netfilter/ip_tables.c

@@ -1433,6 +1433,8 @@ translate_compat_table(struct net *net,

 	if (!newinfo)

 		goto out_unlock;

+	memset(newinfo->entries, 0, size);

+

 	newinfo->number = compatr->num_entries;

 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {

 		newinfo->hook_entry[i] = compatr->hook_entry[i];

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c

index f7f25eb536d5b..b9d05ea5b9f0f 100644

--- a/net/ipv6/netfilter/ip6_tables.c

+++ b/net/ipv6/netfilter/ip6_tables.c

@@ -1448,6 +1448,8 @@ translate_compat_table(struct net *net,

 	if (!newinfo)

 		goto out_unlock;

+	memset(newinfo->entries, 0, size);

+

 	newinfo->number = compatr->num_entries;

 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {

 		newinfo->hook_entry[i] = compatr->hook_entry[i];

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c

index eb66934f36ec2..e258429213cab 100644

--- a/net/netfilter/x_tables.c

+++ b/net/netfilter/x_tables.c

@@ -736,7 +736,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,

 {

 	const struct xt_match *match = m->u.kernel.match;

 	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;

-	int pad, off = xt_compat_match_offset(match);

+	int off = xt_compat_match_offset(match);

 	u_int16_t msize = cm->u.user.match_size;

 	char name[sizeof(m->u.user.name)];

@@ -746,9 +746,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,

 		match->compat_from_user(m->data, cm->data);

 	else

 		memcpy(m->data, cm->data, msize - sizeof(*cm));

-	pad = XT_ALIGN(match->matchsize) - match->matchsize;

-	if (pad > 0)

-		memset(m->data + match->matchsize, 0, pad);

 	msize += off;

 	m->u.user.match_size = msize;

@@ -1119,7 +1116,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,

 {

 	const struct xt_target *target = t->u.kernel.target;

 	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;

-	int pad, off = xt_compat_target_offset(target);

+	int off = xt_compat_target_offset(target);

 	u_int16_t tsize = ct->u.user.target_size;

 	char name[sizeof(t->u.user.name)];

@@ -1129,9 +1126,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,

 		target->compat_from_user(t->data, ct->data);

 	else

 		memcpy(t->data, ct->data, tsize - sizeof(*ct));

-	pad = XT_ALIGN(target->targetsize) - target->targetsize;

-	if (pad > 0)

-		memset(t->data + target->targetsize, 0, pad);

 	tsize += off;

 	t->u.user.target_size = tsize;

-- 

2.26.3