diff mbox series

[net,v2] netfilter: ipset: add missing range check in bitmap_ip_uadt

Message ID 20241113130209.22376-1-aha310510@gmail.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [net,v2] netfilter: ipset: add missing range check in bitmap_ip_uadt | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 11 of 11 maintainers
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 4 this patch: 4
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-11-14--03-00 (tests: 782)

Commit Message

Jeongjun Park Nov. 13, 2024, 1:02 p.m. UTC 
When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--

Comments

Paolo Abeni Nov. 14, 2024, 11:10 a.m. UTC | #1 
On 11/13/24 14:02, Jeongjun Park wrote:
> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> the values of ip and ip_to are slightly swapped. Therefore, the range check
> for ip should be done later, but this part is missing and it seems that the
> vulnerability occurs.
> 
> So we should add missing range checks and remove unnecessary range checks.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

@Pablo, @Jozsef: despite the subj prefix, I guess this should go via
your tree. Please LMK if you prefer otherwise.

Cheers,

Paolo
Pablo Neira Ayuso Nov. 14, 2024, 11:29 a.m. UTC | #2 
On Thu, Nov 14, 2024 at 12:10:05PM +0100, Paolo Abeni wrote:
> On 11/13/24 14:02, Jeongjun Park wrote:
> > When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> > the values of ip and ip_to are slightly swapped. Therefore, the range check
> > for ip should be done later, but this part is missing and it seems that the
> > vulnerability occurs.
> > 
> > So we should add missing range checks and remove unnecessary range checks.
> > 
> > Cc: <stable@vger.kernel.org>
> > Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> 
> @Pablo, @Jozsef: despite the subj prefix, I guess this should go via
> your tree. Please LMK if you prefer otherwise.

Thanks Paolo.

Patch LGTM. I am waiting for Jozsef to acknowledge this fix.
Jozsef Kadlecsik Nov. 14, 2024, 11:45 a.m. UTC | #3 
On Wed, 13 Nov 2024, Jeongjun Park wrote:

> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> the values of ip and ip_to are slightly swapped. Therefore, the range check
> for ip should be done later, but this part is missing and it seems that the
> vulnerability occurs.
> 
> So we should add missing range checks and remove unnecessary range checks.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>

The patch should be applied to the stable branches too. Thanks!

Best regards,
Jozsef

> ---
>  net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
> index e4fa00abde6a..5988b9bb9029 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ip.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
> @@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
>  		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
>  		if (ret)
>  			return ret;
> -		if (ip > ip_to) {
> +		if (ip > ip_to)
>  			swap(ip, ip_to);
> -			if (ip < map->first_ip)
> -				return -IPSET_ERR_BITMAP_RANGE;
> -		}
>  	} else if (tb[IPSET_ATTR_CIDR]) {
>  		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
>  
> @@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
>  		ip_to = ip;
>  	}
>  
> -	if (ip_to > map->last_ip)
> +	if (ip < map->first_ip || ip_to > map->last_ip)
>  		return -IPSET_ERR_BITMAP_RANGE;
>  
>  	for (; !before(ip_to, ip); ip += map->hosts) {
> --
>
Jozsef Kadlecsik Nov. 14, 2024, 11:46 a.m. UTC | #4 
On Thu, 14 Nov 2024, Pablo Neira Ayuso wrote:

> On Thu, Nov 14, 2024 at 12:10:05PM +0100, Paolo Abeni wrote:
> > On 11/13/24 14:02, Jeongjun Park wrote:
> > > When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> > > the values of ip and ip_to are slightly swapped. Therefore, the range check
> > > for ip should be done later, but this part is missing and it seems that the
> > > vulnerability occurs.
> > > 
> > > So we should add missing range checks and remove unnecessary range checks.
> > > 
> > > Cc: <stable@vger.kernel.org>
> > > Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> > > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> > > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> > 
> > @Pablo, @Jozsef: despite the subj prefix, I guess this should go via
> > your tree. Please LMK if you prefer otherwise.
> 
> Patch LGTM. I am waiting for Jozsef to acknowledge this fix.

Sorry for the delay at acking the patch. Please apply it to the stable 
branches too because those are affected as well.

Best regards,
Jozsef
Pablo Neira Ayuso Nov. 14, 2024, 12:09 p.m. UTC | #5 
On Thu, Nov 14, 2024 at 12:46:29PM +0100, Jozsef Kadlecsik wrote:
> On Thu, 14 Nov 2024, Pablo Neira Ayuso wrote:
> 
> > On Thu, Nov 14, 2024 at 12:10:05PM +0100, Paolo Abeni wrote:
> > > On 11/13/24 14:02, Jeongjun Park wrote:
> > > > When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> > > > the values of ip and ip_to are slightly swapped. Therefore, the range check
> > > > for ip should be done later, but this part is missing and it seems that the
> > > > vulnerability occurs.
> > > > 
> > > > So we should add missing range checks and remove unnecessary range checks.
> > > > 
> > > > Cc: <stable@vger.kernel.org>
> > > > Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
> > > > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> > > > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> > > 
> > > @Pablo, @Jozsef: despite the subj prefix, I guess this should go via
> > > your tree. Please LMK if you prefer otherwise.
> > 
> > Patch LGTM. I am waiting for Jozsef to acknowledge this fix.
> 
> Sorry for the delay at acking the patch. Please apply it to the stable 
> branches too because those are affected as well.

No problem, preparing PR. Thanks Jozsef.
diff mbox series

Patch

diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index e4fa00abde6a..5988b9bb9029 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -163,11 +163,8 @@  bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
-		if (ip > ip_to) {
+		if (ip > ip_to)
 			swap(ip, ip_to);
-			if (ip < map->first_ip)
-				return -IPSET_ERR_BITMAP_RANGE;
-		}
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 
@@ -178,7 +175,7 @@  bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ip_to = ip;
 	}
 
-	if (ip_to > map->last_ip)
+	if (ip < map->first_ip || ip_to > map->last_ip)
 		return -IPSET_ERR_BITMAP_RANGE;
 
 	for (; !before(ip_to, ip); ip += map->hosts) {