* [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4
[not found] <2023082114-remix-cable-0852@gregkh>
@ 2023-08-24 11:53 ` Julian Anastasov
2023-08-24 11:53 ` [PATCH -stable,4.14.y,4.19.y 1/1] ipvs: Improve robustness to the ipvs sysctl Julian Anastasov
2023-08-26 16:36 ` [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4 Greg KH
0 siblings, 2 replies; 3+ messages in thread
From: Julian Anastasov @ 2023-08-24 11:53 UTC (permalink / raw)
To: stable
Cc: Simon Horman, lvs-devel, Pablo Neira Ayuso, netfilter-devel,
Junwei Hu, Sishuai Gong
Hello,
This patchset contains backport for
commit 1b90af292e71b20d03b837d39406acfbdc5d4b2a. It applies
to linux-4.14.y and linux-4.19.y and differs from original commit
for the zero/one values used for extra1/extra2.
When applied, the concerned commit
5310760af1d4fbea1452bfc77db5f9a680f7ae47 can be cherry-picked and
it will apply cleanly on top of 1b90af292e71.
Junwei Hu (1):
ipvs: Improve robustness to the ipvs sysctl
net/netfilter/ipvs/ip_vs_ctl.c | 70 +++++++++++++++++-----------------
1 file changed, 36 insertions(+), 34 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH -stable,4.14.y,4.19.y 1/1] ipvs: Improve robustness to the ipvs sysctl
2023-08-24 11:53 ` [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4 Julian Anastasov
@ 2023-08-24 11:53 ` Julian Anastasov
2023-08-26 16:36 ` [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4 Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Julian Anastasov @ 2023-08-24 11:53 UTC (permalink / raw)
To: stable
Cc: Simon Horman, lvs-devel, Pablo Neira Ayuso, netfilter-devel,
Junwei Hu, Sishuai Gong
From: Junwei Hu <hujunwei4@huawei.com>
The ipvs module parse the user buffer and save it to sysctl,
then check if the value is valid. invalid value occurs
over a period of time.
Here, I add a variable, struct ctl_table tmp, used to read
the value from the user buffer, and save only when it is valid.
I delete proc_do_sync_mode and use extra1/2 in table for the
proc_dointvec_minmax call.
Fixes: f73181c8288f ("ipvs: add support for sync threads")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 1b90af292e71b20d03b837d39406acfbdc5d4b2a)
[Julian: Backport by changing SYSCTL_ZERO/SYSCTL_ONE to zero/one]
Signed-off-by: Julian Anastasov <ja@ssi.bg>
---
net/netfilter/ipvs/ip_vs_ctl.c | 70 +++++++++++++++++-----------------
1 file changed, 36 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index ecc16d8c1cc3..4e78c2a6a3ca 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1648,6 +1648,7 @@ static int ip_vs_zero_all(struct netns_ipvs *ipvs)
#ifdef CONFIG_SYSCTL
static int zero;
+static int one = 1;
static int three = 3;
static int
@@ -1659,12 +1660,18 @@ proc_do_defense_mode(struct ctl_table *table, int write,
int val = *valp;
int rc;
- rc = proc_dointvec(table, write, buffer, lenp, ppos);
+ struct ctl_table tmp = {
+ .data = &val,
+ .maxlen = sizeof(int),
+ .mode = table->mode,
+ };
+
+ rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
if (write && (*valp != val)) {
- if ((*valp < 0) || (*valp > 3)) {
- /* Restore the correct value */
- *valp = val;
+ if (val < 0 || val > 3) {
+ rc = -EINVAL;
} else {
+ *valp = val;
update_defense_level(ipvs);
}
}
@@ -1678,33 +1685,20 @@ proc_do_sync_threshold(struct ctl_table *table, int write,
int *valp = table->data;
int val[2];
int rc;
+ struct ctl_table tmp = {
+ .data = &val,
+ .maxlen = table->maxlen,
+ .mode = table->mode,
+ };
- /* backup the value first */
memcpy(val, valp, sizeof(val));
-
- rc = proc_dointvec(table, write, buffer, lenp, ppos);
- if (write && (valp[0] < 0 || valp[1] < 0 ||
- (valp[0] >= valp[1] && valp[1]))) {
- /* Restore the correct value */
- memcpy(valp, val, sizeof(val));
- }
- return rc;
-}
-
-static int
-proc_do_sync_mode(struct ctl_table *table, int write,
- void __user *buffer, size_t *lenp, loff_t *ppos)
-{
- int *valp = table->data;
- int val = *valp;
- int rc;
-
- rc = proc_dointvec(table, write, buffer, lenp, ppos);
- if (write && (*valp != val)) {
- if ((*valp < 0) || (*valp > 1)) {
- /* Restore the correct value */
- *valp = val;
- }
+ rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
+ if (write) {
+ if (val[0] < 0 || val[1] < 0 ||
+ (val[0] >= val[1] && val[1]))
+ rc = -EINVAL;
+ else
+ memcpy(valp, val, sizeof(val));
}
return rc;
}
@@ -1717,12 +1711,18 @@ proc_do_sync_ports(struct ctl_table *table, int write,
int val = *valp;
int rc;
- rc = proc_dointvec(table, write, buffer, lenp, ppos);
+ struct ctl_table tmp = {
+ .data = &val,
+ .maxlen = sizeof(int),
+ .mode = table->mode,
+ };
+
+ rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
if (write && (*valp != val)) {
- if (*valp < 1 || !is_power_of_2(*valp)) {
- /* Restore the correct value */
+ if (val < 1 || !is_power_of_2(val))
+ rc = -EINVAL;
+ else
*valp = val;
- }
}
return rc;
}
@@ -1782,7 +1782,9 @@ static struct ctl_table vs_vars[] = {
.procname = "sync_version",
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_do_sync_mode,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &zero,
+ .extra2 = &one,
},
{
.procname = "sync_ports",
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4
2023-08-24 11:53 ` [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4 Julian Anastasov
2023-08-24 11:53 ` [PATCH -stable,4.14.y,4.19.y 1/1] ipvs: Improve robustness to the ipvs sysctl Julian Anastasov
@ 2023-08-26 16:36 ` Greg KH
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2023-08-26 16:36 UTC (permalink / raw)
To: Julian Anastasov
Cc: stable, Simon Horman, lvs-devel, Pablo Neira Ayuso,
netfilter-devel, Junwei Hu, Sishuai Gong
On Thu, Aug 24, 2023 at 02:53:53PM +0300, Julian Anastasov wrote:
> Hello,
>
> This patchset contains backport for
> commit 1b90af292e71b20d03b837d39406acfbdc5d4b2a. It applies
> to linux-4.14.y and linux-4.19.y and differs from original commit
> for the zero/one values used for extra1/extra2.
>
> When applied, the concerned commit
> 5310760af1d4fbea1452bfc77db5f9a680f7ae47 can be cherry-picked and
> it will apply cleanly on top of 1b90af292e71.
>
> Junwei Hu (1):
> ipvs: Improve robustness to the ipvs sysctl
>
> net/netfilter/ipvs/ip_vs_ctl.c | 70 +++++++++++++++++-----------------
> 1 file changed, 36 insertions(+), 34 deletions(-)
>
> --
> 2.41.0
>
>
Now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-26 16:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <2023082114-remix-cable-0852@gregkh>
2023-08-24 11:53 ` [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4 Julian Anastasov
2023-08-24 11:53 ` [PATCH -stable,4.14.y,4.19.y 1/1] ipvs: Improve robustness to the ipvs sysctl Julian Anastasov
2023-08-26 16:36 ` [PATCH -stable,4.14.y,4.19.y 0/1] ipvs: backport 1b90af292e71 and 5310760af1d4 Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).