netfilter: ipset: add missing range check in bitmap_ip_uadt

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Jeongjun Park and committed by

Pablo Neira Ayuso 1 year ago 35f56c55 041bd1e4

+2 -5

1 changed file

expand all

net

netfilter

ipset

ip_set_bitmap_ip.c

+2 -5

net/netfilter/ipset/ip_set_bitmap_ip.c

··· 163 163 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 164 164 if (ret) 165 165 return ret; 166 - if (ip > ip_to) { 166 + if (ip > ip_to) 167 167 swap(ip, ip_to); 168 - if (ip < map->first_ip) 169 - return -IPSET_ERR_BITMAP_RANGE; 170 - } 171 168 } else if (tb[IPSET_ATTR_CIDR]) { 172 169 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 173 170 ··· 175 178 ip_to = ip; 176 179 } 177 180 178 - if (ip_to > map->last_ip) 181 + if (ip < map->first_ip || ip_to > map->last_ip) 179 182 return -IPSET_ERR_BITMAP_RANGE; 180 183 181 184 for (; !before(ip_to, ip); ip += map->hosts) {