mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Francesco Ruggeri 2ea2ee855a netfilter: compat: initialize all fields in xt_init 
commit 8d29d16d21 upstream

If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
time, the following panic can be caused by running

% ebtables -t broute -F BROUTING

from a 32-bit user level on a 64-bit kernel. This patch replaces
kmalloc_array with kcalloc when allocating xt.

[  474.680846] BUG: unable to handle kernel paging request at 0000000009600920
[  474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
[  474.693838] Oops: 0000 [#1] SMP
[  474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
[  474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
[  474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
[  474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
[  474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
[  474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
[  474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
[  474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
[  474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
[  474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
[  474.780234] FS:  0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
[  474.788612] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
[  474.802052] Call Trace:
[  474.804789]  compat_do_replace+0x1fb/0x2a3 [ebtables]
[  474.810105]  compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
[  474.815605]  ? try_module_get+0x37/0x42
[  474.819716]  compat_nf_setsockopt+0x4f/0x6d
[  474.824172]  compat_ip_setsockopt+0x7e/0x8c
[  474.828641]  compat_raw_setsockopt+0x16/0x3a
[  474.833220]  compat_sock_common_setsockopt+0x1d/0x24
[  474.838458]  __compat_sys_setsockopt+0x17e/0x1b1
[  474.843343]  ? __check_object_size+0x76/0x19a
[  474.847960]  __ia32_compat_sys_socketcall+0x1cb/0x25b
[  474.853276]  do_fast_syscall_32+0xaf/0xf6
[  474.857548]  entry_SYSENTER_compat+0x6b/0x7a

Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-05-16 19:42:18 +02:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-10-03 17:00:47 -07:00
9p 9p: do not trust pdu content for stat item size 2019-04-20 09:15:04 +02:00
802 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
8021q net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
appletalk appletalk: Fix use-after-free in atalk_proc_exit 2019-04-20 09:15:07 +02:00
atm net: atm: Fix potential Spectre v1 vulnerabilities 2019-04-27 09:35:33 +02:00
ax25 ax25: fix possible use-after-free 2019-02-23 09:06:44 +01:00
batman-adv batman-adv: Reduce tt_global hash refcnt only for removed entry 2019-05-08 07:20:47 +02:00
bluetooth Bluetooth: Align minimum encryption key size for LE and BR/EDR connections 2019-05-10 17:53:15 +02:00
bpf
bridge netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING 2019-05-04 09:15:18 +02:00
caif caif: reduce stack size with KASAN 2019-05-08 07:20:45 +02:00
can can: bcm: check timer values before ktime conversion 2019-01-31 08:13:46 +01:00
ceph libceph: wait for latest osdmap in ceph_monc_blacklist_add() 2019-03-27 14:13:51 +09:00
core net: ethtool: not call vzalloc for zero sized memory request 2019-04-17 08:37:50 +02:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:43:43 +02:00
dccp dccp: do not use ipv6 header for ipv4 flow 2019-04-03 06:25:08 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:28:49 +02:00
dsa net: dsa: slave: Don't propagate flag changes on down slave interfaces 2019-02-12 19:46:11 +01:00
ethernet
hsr net/hsr: fix possible crash in add_timer() 2019-03-19 13:13:22 +01:00
ieee802154 ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2019-04-27 09:35:40 +02:00
ife net: sched: ife: check on metadata length 2018-04-29 11:33:13 +02:00
ipv4 ipv4: ip_do_fragment: Preserve skb_iif during fragmentation 2019-05-08 07:20:43 +02:00
ipv6 ipv6: invert flowlabel sharing check in process and user mode 2019-05-08 07:20:44 +02:00
ipx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:37:45 +02:00
key af_key: unconditionally clone on broadcast 2019-03-23 14:35:14 +01:00
l2tp l2tp: fix infoleak in l2tp_ip6_recvmsg() 2019-03-19 13:13:22 +01:00
l3mdev
lapb
llc llc: do not use sk_eat_skb() 2018-12-01 09:42:51 +01:00
mac80211 mac80211: do not call driver wake_tx_queue op during reconfig 2019-04-27 09:35:38 +02:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 19:55:52 +02:00
mpls mpls: Return error for RTA_GATEWAY attribute 2019-03-13 14:03:09 -07:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter netfilter: compat: initialize all fields in xt_init 2019-05-16 19:42:18 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-03-13 14:03:08 -07:00
netlink genetlink: Fix a memory leak on error path 2019-04-03 06:25:08 +02:00
netrom netrom: switch to sock timer API 2019-02-06 17:31:32 +01:00
nfc net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails 2019-03-13 14:03:08 -07:00
nsh nsh: set mac len based on inner packet 2018-07-22 14:28:49 +02:00
openvswitch ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2019-04-27 09:35:40 +02:00
packet packet: validate msg_namelen in send directly 2019-05-08 07:20:44 +02:00
phonet phonet: fix building with clang 2019-03-23 14:35:16 +01:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr net: qrtr: Broadcast messages only from control port 2018-08-24 13:09:13 +02:00
rds net: rds: exchange of 8K and 1M pool 2019-05-02 09:40:33 +02:00
rfkill rfkill: gpio: fix memory leak in probe error path 2018-05-16 10:10:26 +02:00
rose net/rose: fix unbound loop in rose_loopback_timer() 2019-05-02 09:40:34 +02:00
rxrpc rxrpc: Fix net namespace cleanup 2019-05-08 07:20:44 +02:00
sched net/sched: act_sample: fix divide by zero in the traffic path 2019-04-17 08:37:49 +02:00
sctp sctp: avoid running the sctp state machine recursively 2019-05-08 07:20:44 +02:00
smc net/smc: fix TCP fallback socket release 2019-01-09 17:14:46 +01:00
strparser strparser: Remove early eaten to fix full tcp receive buffer stall 2018-07-22 14:28:47 +02:00
sunrpc sunrpc: don't mark uninitialised items as VALID. 2019-05-02 09:40:29 +02:00
switchdev
tipc tipc: check link name with right length in tipc_nl_compat_link_set 2019-05-02 09:40:32 +02:00
tls net/tls: Fixed return value when tls_complete_pending_work() fails 2018-12-05 19:41:11 +01:00
unix missing barriers in some of unix_sock ->addr and ->path accesses 2019-03-19 13:13:24 +01:00
vmw_vsock vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock 2019-05-02 09:40:31 +02:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless cfg80211: extend range deviation for DMG 2019-03-05 17:58:02 +01:00
x25 net/x25: fix a race in x25_bind() 2019-03-19 13:13:23 +01:00
xfrm xfrm: refine validation of template and selector families 2019-02-15 08:09:13 +01:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 17:14:46 +01:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
socket.c net: socket: set sock->sk to NULL after calling proto_ops::release() 2019-03-13 14:03:09 -07:00
sysctl_net.c