From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mukund Jampala <jbmukund@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [ 72/89] netfilter: ip[6]t_REJECT: fix wrong transport header pointer in TCP reset
Date: Fri, 1 Feb 2013 14:08:27 +0100 [thread overview]
Message-ID: <20130201130212.670323187@linuxfoundation.org> (raw)
In-Reply-To: <20130201130207.444989281@linuxfoundation.org>
3.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mukund Jampala <jbmukund@gmail.com>
commit c6f408996c625cb950cad024f90e50519f94713c upstream.
The problem occurs when iptables constructs the tcp reset packet.
It doesn't initialize the pointer to the tcp header within the skb.
When the skb is passed to the ixgbe driver for transmit, the ixgbe
driver attempts to access the tcp header and crashes.
Currently, other drivers (such as our 1G e1000e or igb drivers) don't
access the tcp header on transmit unless the TSO option is turned on.
<1>BUG: unable to handle kernel NULL pointer dereference at 0000000d
<1>IP: [<d081621c>] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe]
<4>*pdpt = 0000000085e5d001 *pde = 0000000000000000
<0>Oops: 0000 [#1] SMP
[...]
<4>Pid: 0, comm: swapper Tainted: P 2.6.35.12 #1 Greencity/Thurley
<4>EIP: 0060:[<d081621c>] EFLAGS: 00010246 CPU: 16
<4>EIP is at ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe]
<4>EAX: c7628820 EBX: 00000007 ECX: 00000000 EDX: 00000000
<4>ESI: 00000008 EDI: c6882180 EBP: dfc6b000 ESP: ced95c48
<4> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
<0>Process swapper (pid: 0, ti=ced94000 task=ced73bd0 task.ti=ced94000)
<0>Stack:
<4> cbec7418 c779e0d8 c77cc888 c77cc8a8 0903010a 00000000 c77c0008 00000002
<4><0> cd4997c0 00000010 dfc6b000 00000000 d0d176c9 c77cc8d8 c6882180 cbec7318
<4><0> 00000004 00000004 cbec7230 cbec7110 00000000 cbec70c0 c779e000 00000002
<0>Call Trace:
<4> [<d0d176c9>] ? 0xd0d176c9
<4> [<d0d18a4d>] ? 0xd0d18a4d
<4> [<411e243e>] ? dev_hard_start_xmit+0x218/0x2d7
<4> [<411f03d7>] ? sch_direct_xmit+0x4b/0x114
<4> [<411f056a>] ? __qdisc_run+0xca/0xe0
<4> [<411e28b0>] ? dev_queue_xmit+0x2d1/0x3d0
<4> [<411e8120>] ? neigh_resolve_output+0x1c5/0x20f
<4> [<411e94a1>] ? neigh_update+0x29c/0x330
<4> [<4121cf29>] ? arp_process+0x49c/0x4cd
<4> [<411f80c9>] ? nf_hook_slow+0x3f/0xac
<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
<4> [<4121c6d5>] ? T.901+0x38/0x3b
<4> [<4121c918>] ? arp_rcv+0xa3/0xb4
<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
<4> [<411e1173>] ? __netif_receive_skb+0x32b/0x346
<4> [<411e19e1>] ? netif_receive_skb+0x5a/0x5f
<4> [<411e1ea9>] ? napi_skb_finish+0x1b/0x30
<4> [<d0816eb4>] ? ixgbe_xmit_frame_ring+0x1564/0x2260 [ixgbe]
<4> [<41013468>] ? lapic_next_event+0x13/0x16
<4> [<410429b2>] ? clockevents_program_event+0xd2/0xe4
<4> [<411e1b03>] ? net_rx_action+0x55/0x127
<4> [<4102da1a>] ? __do_softirq+0x77/0xeb
<4> [<4102dab1>] ? do_softirq+0x23/0x27
<4> [<41003a67>] ? do_IRQ+0x7d/0x8e
<4> [<41002a69>] ? common_interrupt+0x29/0x30
<4> [<41007bcf>] ? mwait_idle+0x48/0x4d
<4> [<4100193b>] ? cpu_idle+0x37/0x4c
<0>Code: df 09 d7 0f 94 c2 0f b6 d2 e9 e7 fb ff ff 31 db 31 c0 e9 38
ff ff ff 80 78 06 06 0f 85 3e fb ff ff 8b 7c 24 38 8b 8f b8 00 00 00
<0f> b6 51 0d f6 c2 01 0f 85 27 fb ff ff 80 e2 02 75 0d 8b 6c 24
<0>EIP: [<d081621c>] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe] SS:ESP
Signed-off-by: Mukund Jampala <jbmukund@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/netfilter/ipt_REJECT.c | 1 +
net/ipv6/netfilter/ip6t_REJECT.c | 1 +
2 files changed, 2 insertions(+)
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -81,6 +81,7 @@ static void send_reset(struct sk_buff *o
niph->saddr = oiph->daddr;
niph->daddr = oiph->saddr;
+ skb_reset_transport_header(nskb);
tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
memset(tcph, 0, sizeof(*tcph));
tcph->source = oth->dest;
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -132,6 +132,7 @@ static void send_reset(struct net *net,
ip6h->saddr = oip6h->daddr;
ip6h->daddr = oip6h->saddr;
+ skb_reset_transport_header(nskb);
tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
/* Truncate to length (no data) */
tcph->doff = sizeof(struct tcphdr)/4;
next prev parent reply other threads:[~2013-02-01 13:14 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-01 13:07 [ 00/89] 3.7.6-stable review Greg Kroah-Hartman
2013-02-01 13:07 ` [ 01/89] can: c_can: fix invalid error codes Greg Kroah-Hartman
2013-02-01 13:07 ` [ 02/89] can: ti_hecc: " Greg Kroah-Hartman
2013-02-01 13:07 ` [ 03/89] can: pch_can: " Greg Kroah-Hartman
2013-02-01 13:07 ` [ 04/89] fs/cifs/cifs_dfs_ref.c: fix potential memory leakage Greg Kroah-Hartman
2013-02-01 13:07 ` [ 05/89] KVM: PPC: Emulate dcbf Greg Kroah-Hartman
2013-02-01 13:07 ` [ 06/89] powerpc/book3e: Disable interrupt after preempt_schedule_irq Greg Kroah-Hartman
2013-02-03 13:01 ` Ben Hutchings
2013-02-01 13:07 ` [ 07/89] ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem Greg Kroah-Hartman
2013-02-01 13:07 ` [ 08/89] ARM: OMAP2+: omap4-panda: add UART2 muxing for WiLink shared transport Greg Kroah-Hartman
2013-02-01 13:07 ` [ 09/89] ARM: at91: rm9200: remake the BGA as default version Greg Kroah-Hartman
2013-02-01 13:07 ` [ 10/89] ARM: S3C64XX: Fix up IRQ mapping for balblair on Cragganmore Greg Kroah-Hartman
2013-02-01 13:07 ` [ 11/89] ARM: 7627/1: Predicate preempt logic on PREEMP_COUNT not PREEMPT alone Greg Kroah-Hartman
2013-02-01 13:07 ` [ 12/89] ARM: 7628/1: head.S: map one extra section for the ATAG/DTB area Greg Kroah-Hartman
2013-02-01 13:07 ` [ 13/89] ARM: virt: Avoid bx instruction for compatibility with <=ARMv4 Greg Kroah-Hartman
2013-02-01 13:07 ` [ 14/89] ARM: virt: boot secondary CPUs through the right entry point Greg Kroah-Hartman
2013-02-01 13:07 ` [ 15/89] ARM: virt: simplify __hyp_stub_install epilog Greg Kroah-Hartman
2013-02-01 13:07 ` [ 16/89] mfd: tc3589x: Use simple irqdomain Greg Kroah-Hartman
2013-02-01 13:07 ` [ 17/89] Bluetooth: Fix sending HCI commands after reset Greg Kroah-Hartman
2013-02-01 13:07 ` [ 18/89] drm/radeon: fix cursor corruption on DCE6 and newer Greg Kroah-Hartman
2013-02-01 13:07 ` [ 19/89] radeon_display: Use pointer return error codes Greg Kroah-Hartman
2013-02-01 13:07 ` [ 20/89] IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround Greg Kroah-Hartman
2013-02-01 13:07 ` [ 21/89] xfs: Fix possible use-after-free with AIO Greg Kroah-Hartman
2013-02-01 13:07 ` [ 22/89] s390/thp: implement pmdp_set_wrprotect() Greg Kroah-Hartman
2013-02-01 13:07 ` [ 23/89] drm/i915: Disable AsyncFlip performance optimisations Greg Kroah-Hartman
2013-02-01 13:07 ` [ 24/89] drm/i915: GFX_MODE Flush TLB Invalidate Mode must be 1 for scanline waits Greg Kroah-Hartman
2013-02-01 13:07 ` [ 25/89] drm/i915: dump UTS_RELEASE into the error_state Greg Kroah-Hartman
2013-02-01 13:07 ` [ 26/89] mwifiex: update config_bands during infra association Greg Kroah-Hartman
2013-02-03 13:09 ` Ben Hutchings
2013-02-04 19:37 ` Bing Zhao
2013-02-01 13:07 ` [ 27/89] mwifiex: fix typo in PCIe adapter NULL check Greg Kroah-Hartman
2013-02-01 13:07 ` [ 28/89] iwlegacy: fix IBSS cleanup Greg Kroah-Hartman
2013-02-01 13:07 ` [ 29/89] brcmsmac: increase timer reference count for new timers only Greg Kroah-Hartman
2013-02-01 13:07 ` [ 30/89] brcmsmac: handle packet drop during transmit correctly Greg Kroah-Hartman
2013-02-01 13:07 ` [ 31/89] DM-RAID: Fix RAID10s check for sufficient redundancy Greg Kroah-Hartman
2013-02-01 13:07 ` [ 32/89] mac80211: synchronize scan off/on-channel and PS states Greg Kroah-Hartman
2013-02-01 13:07 ` [ 33/89] mac80211: fix FT roaming Greg Kroah-Hartman
2013-02-01 13:07 ` [ 34/89] ath9k_htc: Fix memory leak Greg Kroah-Hartman
2013-02-01 13:07 ` [ 35/89] ath9k: do not link receive buffers during flush Greg Kroah-Hartman
2013-02-01 13:07 ` [ 36/89] ath9k: fix double-free bug on beacon generate failure Greg Kroah-Hartman
2013-02-01 13:07 ` [ 37/89] ath9k: remove the WARN_ON that triggers if generating a beacon fails Greg Kroah-Hartman
2013-02-01 13:07 ` [ 38/89] ath9k: add a better fix for the rx tasklet vs rx flush race Greg Kroah-Hartman
2013-02-03 13:15 ` Ben Hutchings
2013-02-01 13:07 ` [ 39/89] ath9k: fix rx flush handling Greg Kroah-Hartman
2013-02-01 13:07 ` [ 40/89] ath9k: remove sc->rx.rxbuflock to fix a deadlock Greg Kroah-Hartman
2013-02-01 13:07 ` [ 41/89] ath9k: disable the tasklet before taking the PCU lock Greg Kroah-Hartman
2013-02-01 13:07 ` [ 42/89] ath9k_hw: fix chain swap setting when setting rx chainmask to 5 Greg Kroah-Hartman
2013-02-01 13:07 ` [ 43/89] ath9k: allow setting arbitrary antenna masks on AR9003+ Greg Kroah-Hartman
2013-02-01 13:07 ` [ 44/89] ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices Greg Kroah-Hartman
2013-02-01 13:08 ` [ 45/89] ALSA: hda - Add a fixup for Packard-Bell desktop with ALC880 Greg Kroah-Hartman
2013-02-01 13:08 ` [ 46/89] ALSA: hda - fix inverted internal mic on Acer AOA150/ZG5 Greg Kroah-Hartman
2013-02-01 13:08 ` [ 47/89] ALSA: hda - Fix non-snoop page handling Greg Kroah-Hartman
2013-02-01 13:08 ` [ 48/89] EDAC: Test correct variable in ->store function Greg Kroah-Hartman
2013-02-01 13:08 ` [ 49/89] ASoC: arizona: Use actual rather than desired BCLK when calculating LRCLK Greg Kroah-Hartman
2013-02-01 13:08 ` [ 50/89] ASoC: wm2200: correct mixer values and text Greg Kroah-Hartman
2013-02-01 13:08 ` [ 51/89] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() Greg Kroah-Hartman
2013-02-01 13:08 ` [ 52/89] iommu/intel: disable DMAR for g4x integrated gfx Greg Kroah-Hartman
2013-02-01 13:08 ` [ 53/89] NFS: Fix error reporting in nfs_xdev_mount Greg Kroah-Hartman
2013-02-01 13:08 ` [ 54/89] NFS: Dont silently fail setattr() requests on mountpoints Greg Kroah-Hartman
2013-02-01 13:08 ` [ 55/89] NFSv4: Fix NFSv4 reference counting for trunked sessions Greg Kroah-Hartman
2013-02-01 13:08 ` [ 56/89] NFSv4: Fix NFSv4 trunking discovery Greg Kroah-Hartman
2013-02-01 13:08 ` [ 57/89] NFSv4.1: Ensure that nfs41_walk_client_list() does start lease recovery Greg Kroah-Hartman
2013-02-01 13:08 ` [ 58/89] NFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session Greg Kroah-Hartman
2013-02-01 13:08 ` [ 59/89] HID: usbhid: quirk for Formosa IR receiver Greg Kroah-Hartman
2013-02-01 13:08 ` [ 60/89] smp: Fix SMP function call empty cpu mask race Greg Kroah-Hartman
2013-02-01 13:08 ` [ 61/89] x86/msr: Add capabilities check Greg Kroah-Hartman
2013-02-01 13:08 ` [ 62/89] efi: Make efi_enabled a function to query EFI facilities Greg Kroah-Hartman
2013-02-01 13:08 ` [ 63/89] samsung-laptop: Disable on EFI hardware Greg Kroah-Hartman
2013-02-01 13:08 ` [ 64/89] x86, efi: Fix display detection in EFI boot stub Greg Kroah-Hartman
2013-02-01 13:08 ` [ 65/89] x86, efi: Fix 32-bit EFI handover protocol entry point Greg Kroah-Hartman
2013-02-01 13:08 ` [ 66/89] efi, x86: Pass a proper identity mapping in efi_call_phys_prelog Greg Kroah-Hartman
2013-02-01 13:08 ` [ 67/89] x86, efi: Set runtime_version to the EFI spec revision Greg Kroah-Hartman
2013-02-01 13:08 ` [ 68/89] xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end Greg Kroah-Hartman
2013-02-13 15:30 ` Paolo Bonzini
2013-02-13 16:18 ` Greg Kroah-Hartman
2013-02-14 0:07 ` Dave Chinner
2013-02-14 19:26 ` Greg Kroah-Hartman
2013-02-14 19:55 ` Ben Myers
2013-02-14 20:05 ` Greg Kroah-Hartman
2013-02-14 20:35 ` Ben Myers
2013-02-15 1:47 ` Dave Chinner
2013-02-15 15:07 ` Ben Myers
2013-02-01 13:08 ` [ 69/89] drm/radeon: fix error path in kpage allocation Greg Kroah-Hartman
2013-02-01 13:08 ` [ 70/89] drm/radeon: fix a rare case of double kfree Greg Kroah-Hartman
2013-02-01 13:08 ` [ 71/89] kvm: Fix irqfd resampler list walk Greg Kroah-Hartman
2013-02-01 13:08 ` Greg Kroah-Hartman [this message]
2013-02-01 13:08 ` [ 73/89] netfilter: nf_ct_reasm: fix conntrack reassembly expire code Greg Kroah-Hartman
2013-02-01 13:08 ` [ 74/89] x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI Greg Kroah-Hartman
2013-02-01 13:08 ` [ 75/89] xfs: fix periodic log flushing Greg Kroah-Hartman
2013-02-01 13:08 ` [ 76/89] target: fix regression with dev_link_magic in target_fabric_port_link Greg Kroah-Hartman
2013-02-01 13:08 ` [ 77/89] netfilter: nfnetlink_log: fix mac address for 6in4 tunnels Greg Kroah-Hartman
2013-02-01 13:08 ` [ 78/89] netfilter: nfnetlink_log: fix possible compilation issue due to missing include Greg Kroah-Hartman
2013-02-01 13:08 ` [ 79/89] netfilter: xt_CT: recover NOTRACK target support Greg Kroah-Hartman
2013-02-01 13:08 ` [ 80/89] netfilter: fix missing dependencies for the NOTRACK target Greg Kroah-Hartman
2013-02-01 13:08 ` [ 81/89] netfilter: xt_hashlimit: fix namespace destroy path Greg Kroah-Hartman
2013-02-01 13:08 ` [ 82/89] netfilter: xt_hashlimit: fix race that results in duplicated entries Greg Kroah-Hartman
[not found] ` <CA+6hz4qjj3wGgo-m50=qRxAN+OGUXKfUfgRp7Pys7NixgwQ3vQ@mail.gmail.com>
2013-02-01 15:32 ` Greg Kroah-Hartman
[not found] ` <CA+6hz4qjJpaH4HeoQ_NWT5ZX0+1PG-O87kxPK0rKEBG9go37DQ@mail.gmail.com>
2013-02-01 16:36 ` Greg Kroah-Hartman
2013-02-01 16:34 ` Pablo Neira Ayuso
2013-02-01 16:56 ` Feng Gao
2013-02-01 17:47 ` Pablo Neira Ayuso
2013-02-01 13:08 ` [ 83/89] netfilter: xt_recent: fix namespace destroy path Greg Kroah-Hartman
2013-02-01 13:08 ` [ 84/89] netfilter: xt_recent: avoid high order page allocations Greg Kroah-Hartman
2013-02-01 13:08 ` [ 85/89] netfilter: nf_conntrack: fix BUG_ON while removing nf_conntrack with netns Greg Kroah-Hartman
2013-02-01 13:08 ` [ 86/89] netfilter: x_tables: print correct hook names for ARP Greg Kroah-Hartman
2013-02-01 13:08 ` [ 87/89] netfilter: ctnetlink: fix leak in error path of ctnetlink_create_expect Greg Kroah-Hartman
2013-02-01 13:08 ` [ 88/89] drm/i915: fix FORCEWAKE posting reads Greg Kroah-Hartman
2013-02-01 13:08 ` [ 89/89] slub: assign refcount for kmalloc_caches Greg Kroah-Hartman
2013-02-01 23:24 ` [ 00/89] 3.7.6-stable review Shuah Khan
2013-02-02 21:39 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130201130212.670323187@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jbmukund@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).