From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.14 33/61] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()
Date: Fri, 6 Jul 2018 07:46:57 +0200 [thread overview]
Message-ID: <20180706054713.603352386@linuxfoundation.org> (raw)
In-Reply-To: <20180706054712.332416244@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taehee Yoo <ap420073@gmail.com>
commit 360cc79d9d299ce297b205508276285ceffc5fa8 upstream.
The table field in nft_obj_filter is not an array. In order to check
tablename, we should check if the pointer is set.
Test commands:
%nft add table ip filter
%nft add counter ip filter ct1
%nft reset counters
Splat looks like:
[ 306.510504] kasan: CONFIG_KASAN_INLINE enabled
[ 306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ 306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables
[ 306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17
[ 306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
[ 306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables]
[ 306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246
[ 306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000
[ 306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a
[ 306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b
[ 306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108
[ 306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860
[ 306.528284] FS: 00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
[ 306.528284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0
[ 306.528284] Call Trace:
[ 306.528284] netlink_dump+0x470/0xa20
[ 306.528284] __netlink_dump_start+0x5ae/0x690
[ 306.528284] ? nf_tables_getobj+0x1b3/0x740 [nf_tables]
[ 306.528284] nf_tables_getobj+0x2f5/0x740 [nf_tables]
[ 306.528284] ? nft_obj_notify+0x100/0x100 [nf_tables]
[ 306.528284] ? nf_tables_getobj+0x740/0x740 [nf_tables]
[ 306.528284] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
[ 306.528284] ? nft_obj_notify+0x100/0x100 [nf_tables]
[ 306.528284] nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink]
[ 306.528284] ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink]
[ 306.528284] netlink_rcv_skb+0x1c9/0x2f0
[ 306.528284] ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
[ 306.528284] ? debug_check_no_locks_freed+0x270/0x270
[ 306.528284] ? netlink_ack+0x7a0/0x7a0
[ 306.528284] ? ns_capable_common+0x6e/0x110
[ ... ]
Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4614,7 +4614,7 @@ static int nf_tables_dump_obj(struct sk_
if (idx > s_idx)
memset(&cb->args[1], 0,
sizeof(cb->args) - sizeof(cb->args[0]));
- if (filter && filter->table[0] &&
+ if (filter && filter->table &&
strcmp(filter->table, table->name))
goto cont;
if (filter &&
next prev parent reply other threads:[~2018-07-06 5:59 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 5:46 [PATCH 4.14 00/61] 4.14.54-stable review Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 01/61] usb: cdc_acm: Add quirk for Uniden UBC125 scanner Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 02/61] USB: serial: cp210x: add CESINEL device ids Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 03/61] USB: serial: cp210x: add Silicon Labs IDs for Windows Update Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 04/61] usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 05/61] acpi: Add helper for deactivating memory region Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 06/61] usb: typec: ucsi: acpi: Workaround for cache mode issue Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 07/61] usb: typec: ucsi: Fix for incorrect status data issue Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 08/61] xhci: Fix kernel oops in trace_xhci_free_virt_device Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 09/61] n_tty: Fix stall at n_tty_receive_char_special() Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 10/61] n_tty: Access echo_* variables carefully Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 11/61] staging: android: ion: Return an ERR_PTR in ion_map_kernel Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 12/61] serial: 8250_pci: Remove stalled entries in blacklist Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 13/61] serdev: fix memleak on module unload Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 14/61] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Greg Kroah-Hartman
2018-07-06 5:52 ` syzbot
2018-07-06 5:46 ` [PATCH 4.14 18/61] drm/qxl: Call qxl_bo_unref outside atomic context Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 19/61] drm/atmel-hlcdc: check stride values in the first plane Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 22/61] drm/i915: Enable provoking vertex fix on Gen9 systems Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 23/61] netfilter: nf_tables: nft_compat: fix refcount leak on xt module Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 24/61] netfilter: nft_compat: prepare for indirect info storage Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 25/61] netfilter: nft_compat: fix handling of large matchinfo size Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 26/61] netfilter: nf_tables: dont assume chain stats are set when jumplabel is set Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 27/61] netfilter: nf_tables: bogus EBUSY in chain deletions Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 28/61] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 29/61] netfilter: nf_tables: disable preemption in nft_update_chain_stats() Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 30/61] netfilter: nf_tables: increase nft_counters_enabled in nft_chain_stats_replace() Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 31/61] netfilter: nf_tables: fix memory leak on error exit return Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 32/61] netfilter: nf_tables: add missing netlink attrs to policies Greg Kroah-Hartman
2018-07-06 5:46 ` Greg Kroah-Hartman [this message]
2018-07-06 5:46 ` [PATCH 4.14 34/61] md: always hold reconfig_mutex when calling mddev_suspend() Greg Kroah-Hartman
2018-07-06 5:46 ` [PATCH 4.14 35/61] md: dont call bitmap_create() while array is quiesced Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 36/61] md: move suspend_hi/lo handling into core md code Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 37/61] md: use mddev_suspend/resume instead of ->quiesce() Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 38/61] md: allow metadata update while suspending Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 39/61] md: remove special meaning of ->quiesce(.., 2) Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 40/61] netfilter: dont set F_IFACE on ipv6 fib lookups Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 41/61] netfilter: ip6t_rpfilter: provide input interface for route lookup Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 42/61] netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 43/61] ARM: dts: imx6q: Use correct SDMA script for SPI5 core Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 44/61] mtd: rawnand: fix return value check for bad block status Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 46/61] afs: Fix directory permissions check Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 47/61] netfilter: ebtables: handle string from userspace with care Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 48/61] s390/dasd: use blk_mq_rq_from_pdu for per request data Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 49/61] netfilter: nft_limit: fix packet ratelimiting Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 50/61] ipvs: fix buffer overflow with sync daemon and service Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 51/61] iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 52/61] atm: zatm: fix memcmp casting Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 54/61] perf test: "Session topology" dumps core on s390 Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 55/61] perf bpf: Fix NULL return handling in bpf__prepare_load() Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 56/61] fs: clear writeback errors in inode_init_always Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 57/61] sched/core: Fix rules for running on online && !active CPUs Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 58/61] sched/core: Require cpu_active() in select_task_rq(), for user tasks Greg Kroah-Hartman
2018-07-06 5:47 ` [PATCH 4.14 60/61] net/sonic: Use dma_mapping_error() Greg Kroah-Hartman
2018-07-06 17:54 ` [PATCH 4.14 00/61] 4.14.54-stable review Dan Rue
2018-07-07 21:39 ` Guenter Roeck
2018-07-08 13:29 ` Greg Kroah-Hartman
2018-07-09 13:28 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706054713.603352386@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).