Commit d9c5fbd0 authored Feb 15, 2025 by Jeongjun Park Committed by Dong Chenchen Feb 15, 2025

netfilter: ipset: add missing range check in bitmap_ip_uadt

mainline inclusion
from mainline-v6.13-rc1
commit 35f56c554eb1b56b77b3cf197a6b00922d49033d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB9NOX
CVE: CVE-2024-53141

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=35f56c554eb1b56b77b3cf197a6b00922d49033d



--------------------------------

When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Cc: <stable@vger.kernel.org>
Reported-by:  <syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com>
Fixes: 72205fc6 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent 83b361e2

net/netfilter/ipset/ip_set_bitmap_ip.c

+2 −5

Original line number	Diff line number	Diff line
		@@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set set, struct nlattr tb[],
		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
		if (ret)
		return ret;
		if (ip > ip_to) {
		if (ip > ip_to)
		swap(ip, ip_to);
		if (ip < map->first_ip)
		return -IPSET_ERR_BITMAP_RANGE;
		}
		} else if (tb[IPSET_ATTR_CIDR]) {
		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);

		@@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set set, struct nlattr tb[],
		ip_to = ip;
		}

		if (ip_to > map->last_ip)
		if (ip < map->first_ip \|\| ip_to > map->last_ip)
		return -IPSET_ERR_BITMAP_RANGE;

		for (; !before(ip_to, ip); ip += map->hosts) {