Re: [PATCH net] netfilter: ipset: add missing range check in bitmap_ip_uadt

From: Jozsef Kadlecsik
Date: Tue Nov 12 2024 - 14:59:48 EST


Hello Jeongjun,

On Tue, 12 Nov 2024, Jeongjun Park wrote:

> In the bitmap_ip_uadt function, if ip is greater than ip_to, they are swapped.
> However, there is no check to see if ip is smaller than map->first, which
> causes an out-of-bounds vulnerability. Therefore, you need to add a missing
> bounds check to prevent out-of-bounds.

It's a good catch, thanks! However, with the patch below the

if (ip < map->first_ip)
return -IPSET_ERR_BITMAP_RANGE;

lines in the branch just after swapping the from/to addresses becomes
unnecessary. Could you send a second version of the patch with the lines
above removed?

Best regards,
Jozsef

> Cc: <stable@xxxxxxxxxxxxxxx>
> Reported-by: syzbot+58c872f7790a4d2ac951@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
> Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
> ---
> net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
> index e4fa00abde6a..705c316b001a 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ip.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
> @@ -178,7 +178,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
> ip_to = ip;
> }
>
> - if (ip_to > map->last_ip)
> + if (ip < map->first_ip || ip_to > map->last_ip)
> return -IPSET_ERR_BITMAP_RANGE;
>
> for (; !before(ip_to, ip); ip += map->hosts) {
> --
>

--
E-mail : kadlec@xxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
Address: Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary