mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-25 03:46:17 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/bridge
History
Florian Westphal 7997eff828 netfilter: ebtables: reject blobs that don't provide all entry points 
Harshit Mogalapalli says:
 In ebt_do_table() function dereferencing 'private->hook_entry[hook]'
 can lead to NULL pointer dereference. [..] Kernel panic:

general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[..]
RIP: 0010:ebt_do_table+0x1dc/0x1ce0
Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 5c 16 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 6c df 08 48 8d 7d 2c 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 88
[..]
Call Trace:
 nf_hook_slow+0xb1/0x170
 __br_forward+0x289/0x730
 maybe_deliver+0x24b/0x380
 br_flood+0xc6/0x390
 br_dev_xmit+0xa2e/0x12c0

For some reason ebtables rejects blobs that provide entry points that are
not supported by the table, but what it should instead reject is the
opposite: blobs that DO NOT provide an entry point supported by the table.

t->valid_hooks is the bitmask of hooks (input, forward ...) that will see
packets.  Providing an entry point that is not support is harmless
(never called/used), but the inverse isn't: it results in a crash
because the ebtables traverser doesn't expect a NULL blob for a location
its receiving packets for.

Instead of fixing all the individual checks, do what iptables is doing and
reject all blobs that differ from the expected hooks.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
2022-08-23 18:23:15 +02:00
..
netfilter netfilter: ebtables: reject blobs that don't provide all entry points 2022-08-23 18:23:15 +02:00
br.c net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00
br_arp_nd_proxy.c net: bridge: Use netif_rx(). 2022-03-04 12:02:19 +00:00
br_cfm.c bridge: cfm: remove redundant return 2021-06-22 10:35:15 -07:00
br_cfm_netlink.c bridge: cfm: Netlink Notifications. 2020-10-29 18:39:44 -07:00
br_device.c net: bridge: fdb: add ndo_fdb_del_bulk 2022-04-13 12:46:26 +01:00
br_fdb.c rtnetlink: add extack support in fdb del handlers 2022-05-09 11:58:20 +01:00
br_forward.c net: Add skb_clear_tstamp() to keep the mono delivery_time 2022-03-03 14:38:48 +00:00
br_if.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
br_input.c net: bridge: Clear offload_fwd_mark when passing frame up bridge interface. 2022-05-19 09:20:44 +02:00
br_ioctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
br_mdb.c net: bridge: allow add/remove permanent mdb entries on disabled ports 2022-06-15 09:35:21 +01:00
br_mrp.c net: bridge: mrp: Update the Test frames for MRA 2021-06-28 15:46:10 -07:00
br_mrp_netlink.c bridge: mrp: Use hlist_head instead of list_head for mrp 2020-11-09 16:42:12 -08:00
br_mrp_switchdev.c bridge: mrp: Extend br_mrp_switchdev to detect better the errors 2021-02-16 14:47:46 -08:00
br_mst.c net: bridge: mst: Add helper to query a port's MST state 2022-03-17 16:49:58 -07:00
br_multicast.c net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled 2022-02-16 20:35:00 -08:00
br_multicast_eht.c net: bridge: multicast: use multicast contexts instead of bridge or port 2021-07-20 05:41:19 -07:00
br_netfilter_hooks.c netfilter: br_netfilter: do not skip all hooks with 0 priority 2022-06-27 19:23:27 +02:00
br_netfilter_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-06-25 01:32:59 +02:00
br_netlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-28 18:21:16 -07:00
br_netlink_tunnel.c net: bridge: notify on vlan tunnel changes done via the old api 2020-07-12 15:18:24 -07:00
br_nf_core.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
br_private.h rtnetlink: add extack support in fdb del handlers 2022-05-09 11:58:20 +01:00
br_private_cfm.h bridge: cfm: Kernel space implementation of CFM. CCM frame RX added. 2020-10-29 18:39:43 -07:00
br_private_mcast_eht.h net: bridge: multicast: use multicast contexts instead of bridge or port 2021-07-20 05:41:19 -07:00
br_private_mrp.h net: bridge: mrp: Update the Test frames for MRA 2021-06-28 15:46:10 -07:00
br_private_stp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_private_tunnel.h net: bridge: change return type of br_handle_ingress_vlan_tunnel 2021-08-24 16:51:09 -07:00
br_stp.c net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00
br_stp_bpdu.c net: bridge: add STP xstats 2019-12-14 20:02:36 -08:00
br_stp_if.c net: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
br_stp_timer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_switchdev.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-04-28 13:02:01 -07:00
br_sysfs_br.c net: bridge: fdb: add support for fine-grained flushing 2022-04-13 12:46:26 +01:00
br_sysfs_if.c net: bridge: mcast: br_multicast_set_port_router takes multicast context as argument 2021-08-20 15:00:35 +01:00
br_vlan.c net: adopt u64_stats_t in struct pcpu_sw_netstats 2022-06-09 21:53:11 -07:00
br_vlan_options.c net: bridge: mst: Allow changing a VLAN's MSTI 2022-03-17 16:49:57 -07:00
br_vlan_tunnel.c net: bridge: change return type of br_handle_ingress_vlan_tunnel 2021-08-24 16:51:09 -07:00
Kconfig bridge: cfm: Add BRIDGE_CFM to Kconfig. 2020-10-29 18:39:43 -07:00
Makefile net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00