netfilter: x_tables: check for size overflow

Orabug: 24690280
CVE: CVE-2016-3134

Ben Hawkes says:
integer overflow in xt_alloc_table_info, which on 32-bit systems can
lead to small structure allocation and a copy_from_user based heap
corruption.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 51a459c3c6490cb7ce5080c5aa147920077dc9d5..bc372f64a7248df59e0ad7a72e17b1433dd6a594 100644 (file)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -659,8 +659,12 @@ EXPORT_SYMBOL_GPL(xt_compat_target_to_user);
 struct xt_table_info *xt_alloc_table_info(unsigned int size)
 {
        struct xt_table_info *newinfo;
+       size_t sz = sizeof(*newinfo) + size;
        int cpu;
 
+       if (sz < sizeof(*newinfo))
+               return NULL;
+
        /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
        if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
                return NULL;