linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, netfilter-devel@lists.netfilter.org,
	Patrick McHardy <kaber@trash.net>,
	davem@davemloft.net, Micha Mirosaw <mirq-linux@rere.qmqm.pl>
Subject: [patch 06/20] nfnetlink_log: fix NULL pointer dereference
Date: Fri, 9 Mar 2007 22:17:18 -0800	[thread overview]
Message-ID: <20070310061718.GG31412@kroah.com> (raw)
In-Reply-To: <20070310061603.GA31412@kroah.com>

[-- Attachment #1: nfnetlink_log-fix-null-pointer-dereference.patch --]
[-- Type: text/plain, Size: 2737 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Micha Mirosaw <mirq-linux@rere.qmqm.pl>

[NETFILTER]: nfnetlink_log: fix NULL pointer dereference

Fix the nasty NULL dereference on multiple packets per netlink message.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
 printing eip:
f8a4b3bf
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack
_ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i
pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma
p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_
cd cdrom
CPU:    0
EIP:    0060:[<f8a4b3bf>]    Not tainted VLI
EFLAGS: 00010206   (2.6.20 #5)
EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log]
eax: 00000000   ebx: f2b5cbc0   ecx: c03f5f54   edx: c03f4000
esi: f2b5cbc8   edi: c03f5f54   ebp: f8a4b3ec   esp: c03f5f30
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000)
Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000
       c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009
       c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000
Call Trace:
 [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log]
 [<c012af49>] run_timer_softirq+0x10a/0x164
 [<c0126932>] __do_softirq+0x60/0xba
 [<c01269bd>] do_softirq+0x31/0x35
 [<c0104f6e>] do_IRQ+0x62/0x74
 [<c01036cb>] common_interrupt+0x23/0x28
 [<c0101018>] default_idle+0x0/0x3f
 [<c0101045>] default_idle+0x2d/0x3f
 [<c01010fa>] cpu_idle+0xa0/0xb9
 [<c03fb7f5>] start_kernel+0x1a8/0x1ac
 [<c03fb293>] unknown_bootoption+0x0/0x181
 =======================
Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04
 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8
 08 9a 84
EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30
 <0>Kernel panic - not syncing: Fatal exception in interrupt
 <0>Rebooting in 5 seconds..

Panic no more!

Signed-off-by: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 net/netfilter/nfnetlink_log.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -564,6 +564,7 @@ __build_packet_message(struct nfulnl_ins
 	}
 		
 	nlh->nlmsg_len = inst->skb->tail - old_tail;
+	inst->lastnlh = nlh;
 	return 0;
 
 nlmsg_failure:

-- 

  parent reply	other threads:[~2007-03-10  6:25 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20070310061234.465093436@mini.kroah.org>
2007-03-10  6:16 ` [patch 00/20] 2.6.20-stable review Greg KH
2007-03-10  6:16   ` [patch 01/20] conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops Greg KH
2007-03-10  6:16   ` [patch 02/20] nf_conntrack/nf_nat: fix incorrect config ifdefs Greg KH
2007-03-10  6:16   ` [patch 03/20] tcp conntrack: accept SYN|URG as valid Greg KH
2007-03-10  6:17   ` [patch 04/20] nfnetlink_log: fix reference leak Greg KH
2007-03-10  6:17   ` [patch 05/20] nfnetlink_log: fix use after free Greg KH
2007-03-10  6:17   ` Greg KH [this message]
2007-03-10  6:17   ` [patch 07/20] nfnetlink_log: fix possible NULL pointer dereference Greg KH
2007-03-10  6:17   ` [patch 08/20] ip6_route_me_harder should take into account mark Greg KH
2007-03-10  6:17   ` [patch 09/20] nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED Greg KH
2007-03-10  6:17   ` [patch 10/20] nfnetlink_log: zero-terminate prefix Greg KH
2007-03-10  6:17   ` [patch 11/20] nfnetlink_log: fix crash on bridged packet Greg KH
2007-03-10  6:18   ` [patch 12/20] nfnetlink_log: fix reference counting Greg KH
2007-03-10  9:14     ` [stable] " Greg KH
2007-03-13 15:45       ` Patrick McHardy
2007-03-10  6:18   ` [patch 13/20] Fix bug 7994 sleeping function called from invalid context Greg KH
2007-03-10  6:18   ` [patch 14/20] bcm43xx: Fix problem with >1 GB RAM Greg KH
2007-03-10  6:18   ` [patch 15/20] Fix compat_getsockopt Greg KH
2007-03-10  6:18   ` [patch 16/20] fix for bugzilla #7544 (keyspan USB-to-serial converter) Greg KH
2007-03-10  6:18   ` [patch 17/20] Fix callback bug in connector Greg KH
2007-03-10  6:18   ` [patch 18/20] Fix sparc64 device register probing Greg KH
2007-03-10  6:18   ` [patch 19/20] Fix timewait jiffies Greg KH
2007-03-10  6:19   ` [patch 20/20] Fix UDP header pointer after pskb_trim_rcsum() Greg KH
2007-03-10  6:23   ` [patch 00/20] 2.6.20-stable review Greg KH
2007-03-10 21:43     ` Chuck Ebbert
2007-03-10 21:49       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070310061718.GG31412@kroah.com \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=jmforbes@linuxtx.org \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mirq-linux@rere.qmqm.pl \
    --cc=mkrufky@linuxtv.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).