From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Dave Jones <davej@codemonkey.org.uk>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 41/88] netfilter: ensure number of counters is >0 in do_replace()
Date: Thu, 14 Jul 2016 10:15:33 +0200 [thread overview]
Message-ID: <17c7327831f7be47c6ff460b9faa100ff426f0b0.1468483951.git.jslaby@suse.cz> (raw)
In-Reply-To: <3d4036cb9b963cdd270c02856a888183da0623db.1468483951.git.jslaby@suse.cz>
In-Reply-To: <cover.1468483950.git.jslaby@suse.cz>
From: Dave Jones <davej@codemonkey.org.uk>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit 1086bbe97a074844188c6c988fa0b1a98c3ccbb9 upstream.
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:
warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0
It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.
The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/bridge/netfilter/ebtables.c | 4 ++++
net/ipv4/netfilter/arp_tables.c | 6 ++++++
net/ipv4/netfilter/ip_tables.c | 6 ++++++
net/ipv6/netfilter/ip6_tables.c | 6 ++++++
4 files changed, 22 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index b166fc2ec4b9..fbfa24b19127 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1105,6 +1105,8 @@ static int do_replace(struct net *net, const void __user *user,
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
tmp.name[sizeof(tmp.name) - 1] = 0;
@@ -2150,6 +2152,8 @@ static int compat_copy_ebt_replace_from_user(struct ebt_replace *repl,
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 819a5d2b618f..020b0e97c206 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1077,6 +1077,9 @@ static int do_replace(struct net *net, const void __user *user,
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1491,6 +1494,9 @@ static int compat_do_replace(struct net *net, void __user *user,
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b296da45a7bd..a207d2befc75 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1263,6 +1263,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1798,6 +1801,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2b345f642978..b87f35b6c742 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1273,6 +1273,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1807,6 +1810,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
--
2.9.1
next prev parent reply other threads:[~2016-07-14 8:31 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-14 8:16 [PATCH 3.12 00/88] 3.12.62-stable review Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 01/88] PCI/AER: Clear error status registers during enumeration and restore Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 02/88] MIPS: Fix 64k page support for 32 bit kernels Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 03/88] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 04/88] sparc: Fix system call tracing register handling Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 05/88] sparc64: Fix bootup regressions on some Kconfig combinations Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 06/88] sparc64: Fix sparc64_set_context stack handling Jiri Slaby
2016-07-14 8:14 ` [PATCH 3.12 07/88] sparc/PCI: Fix for panic while enabling SR-IOV Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 08/88] sparc64: Take ctx_alloc_lock properly in hugetlb_setup() Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 09/88] sparc: Harden signal return frame checks Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 10/88] sparc64: Fix return from trap window fill crashes Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 11/88] perf/x86: Honor the architectural performance monitoring version Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 12/88] perf/x86: Fix undefined shift on 32-bit kernels Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 13/88] netlink: Fix dump skb leak/double free Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 14/88] udp: prevent skbs lingering in tunnel socket queues Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 15/88] tcp: record TLP and ER timer stats in v6 stats Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 16/88] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 17/88] macintosh/therm_windtunnel: Export I2C module alias information Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 18/88] drivers: macintosh: rack-meter: limit idle ticks to total ticks Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 19/88] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 20/88] ARM: fix PTRACE_SETVFPREGS on SMP systems Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 21/88] powerpc: Fix definition of SIAR and SDAR registers Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 22/88] powerpc: Use privileged SPR number for MMCR2 Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 23/88] parisc: Fix pagefault crash in unaligned __get_user() call Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 24/88] ecryptfs: forbid opening files without mmap handler Jiri Slaby
[not found] ` <20160716192134.72132405@desktop.jensen.local>
2016-07-18 11:55 ` Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 25/88] wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 26/88] fix d_walk()/non-delayed __d_free() race Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 27/88] netfilter: x_tables: don't move to non-existent next rule Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 28/88] netfilter: x_tables: validate targets of jumps Jiri Slaby
2016-07-21 6:36 ` Jiri Slaby
2016-07-21 18:56 ` Greg KH
2016-07-21 19:00 ` Jiri Slaby
2016-07-25 5:45 ` Michal Kubecek
2016-07-25 6:41 ` Florian Westphal
2016-07-25 6:51 ` Michal Kubecek
2016-07-25 6:51 ` Michal Kubecek
2016-07-25 7:27 ` Florian Westphal
2016-07-14 8:15 ` [PATCH 3.12 29/88] netfilter: x_tables: add and use xt_check_entry_offsets Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 30/88] netfilter: x_tables: kill check_entry helper Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 31/88] netfilter: x_tables: assert minimum target size Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 32/88] netfilter: x_tables: add compat version of xt_check_entry_offsets Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 33/88] netfilter: x_tables: check standard target size too Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 34/88] netfilter: x_tables: check for bogus target offset Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 35/88] netfilter: x_tables: validate all offsets and sizes in a rule Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 36/88] netfilter: x_tables: don't reject valid target size on some architectures Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 37/88] netfilter: arp_tables: simplify translate_compat_table args Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 38/88] netfilter: ip_tables: " Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 39/88] netfilter: ip6_tables: " Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 40/88] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Jiri Slaby
2016-07-14 8:15 ` Jiri Slaby [this message]
2016-07-14 8:15 ` [PATCH 3.12 42/88] netfilter: x_tables: do compat validation via translate_table Jiri Slaby
2016-07-19 7:13 ` Michal Kubecek
2016-07-19 8:40 ` Florian Westphal
2016-07-19 9:13 ` Florian Westphal
2016-07-19 9:45 ` Michal Kubecek
2016-07-14 8:15 ` [PATCH 3.12 43/88] Revert "netfilter: ensure number of counters is >0 in do_replace()" Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 44/88] netfilter: x_tables: introduce and use xt_copy_counters_from_user Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 45/88] crypto: ux500 - memmove the right size Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 46/88] sit: correct IP protocol used in ipip6_err Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 47/88] ipmr/ip6mr: Initialize the last assert time of mfc entries Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 48/88] net: alx: Work around the DMA RX overflow issue Jiri Slaby
2016-07-14 8:15 ` Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 49/88] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 50/88] usb: musb: Stop bulk endpoint while queue is rotated Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 51/88] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 52/88] mac80211: mesh: flush mesh paths unconditionally Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 53/88] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 54/88] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 55/88] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 56/88] powerpc/pseries: Fix PCI config address for DDW Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 57/88] USB: EHCI: declare hostpc register as zero-length array Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 58/88] x86, build: copy ldlinux.c32 to image.iso Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 59/88] kprobes/x86: Clear TF bit in fault on single-stepping Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 60/88] x86/amd_nb: Fix boot crash on non-AMD systems Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 61/88] make nfs_atomic_open() call d_drop() on all ->open_context() errors Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 62/88] NFS: Fix another OPEN_DOWNGRADE bug Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 63/88] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 64/88] mm: Export migrate_page_move_mapping and migrate_page_copy Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 65/88] UBIFS: Implement ->migratepage() Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 66/88] scsi: remove scsi_end_request Jiri Slaby
2016-07-14 8:15 ` [PATCH 3.12 67/88] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 68/88] Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 69/88] USB: usbfs: fix potential infoleak in devio Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 70/88] ktime: export ktime_divns Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 71/88] ALSA: hrtimer: Handle start/stop more properly Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 72/88] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 73/88] ALSA: timer: Fix leak in events via snd_timer_user_ccallback Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 74/88] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 75/88] net/qlge: Avoids recursive EEH error Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 76/88] rds: fix an infoleak in rds_inc_info_copy Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 77/88] EDAC: Remove arbitrary limit on number of channels Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 78/88] SCSI: Increase REPORT_LUNS timeout Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 79/88] KEYS: potential uninitialized variable Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 80/88] base: make module_create_drivers_dir race-free Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 81/88] KVM: x86: expose invariant tsc cpuid bit (v2) Jiri Slaby
2016-07-14 8:40 ` Paolo Bonzini
2016-07-14 9:22 ` Jiri Slaby
2016-07-14 9:41 ` Paolo Bonzini
2016-07-14 8:16 ` [PATCH 3.12 82/88] mm/swap.c: flush lru pvecs on compound page arrival Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 83/88] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 84/88] ALSA: compress: fix an integer overflow check Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 85/88] HID: elo: kill not flush the work Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 86/88] cdc_ncm: workaround for EM7455 "silent" data interface Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 87/88] MIPS: KVM: Fix modular KVM under QEMU Jiri Slaby
2016-07-14 8:16 ` [PATCH 3.12 88/88] signal: remove warning about using SI_TKILL in rt_[tg]sigqueueinfo Jiri Slaby
2016-07-14 20:20 ` [PATCH 3.12 00/88] 3.12.62-stable review Guenter Roeck
2016-07-15 7:31 ` Jiri Slaby
2016-07-14 21:45 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=17c7327831f7be47c6ff460b9faa100ff426f0b0.1468483951.git.jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=davej@codemonkey.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.