Netdev Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>,
	syzbot+276ddebab3382bbf72db@syzkaller.appspotmail.com,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Sasha Levin <sashal@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 28/68] netfilter: ebtables: also count base chain policies
Date: Tue, 13 Aug 2019 22:15:06 -0400
Message-ID: <20190814021548.16001-28-sashal@kernel.org> (raw)
In-Reply-To: <20190814021548.16001-1-sashal@kernel.org>

From: Florian Westphal <fw@strlen.de>

[ Upstream commit 3b48300d5cc7c7bed63fddb006c4046549ed4aec ]

ebtables doesn't include the base chain policies in the rule count,
so we need to add them manually when we call into the x_tables core
to allocate space for the comapt offset table.

This lead syzbot to trigger:
WARNING: CPU: 1 PID: 9012 at net/netfilter/x_tables.c:649
xt_compat_add_offset.cold+0x11/0x36 net/netfilter/x_tables.c:649

Reported-by: syzbot+276ddebab3382bbf72db@syzkaller.appspotmail.com
Fixes: 2035f3ff8eaa ("netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bridge/netfilter/ebtables.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 57856f8bc22dd..62ffc989a44a2 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1779,20 +1779,28 @@ static int compat_calc_entry(const struct ebt_entry *e,
 	return 0;
 }
 
+static int ebt_compat_init_offsets(unsigned int number)
+{
+	if (number > INT_MAX)
+		return -EINVAL;
+
+	/* also count the base chain policies */
+	number += NF_BR_NUMHOOKS;
+
+	return xt_compat_init_offsets(NFPROTO_BRIDGE, number);
+}
 
 static int compat_table_info(const struct ebt_table_info *info,
 			     struct compat_ebt_replace *newinfo)
 {
 	unsigned int size = info->entries_size;
 	const void *entries = info->entries;
+	int ret;
 
 	newinfo->entries_size = size;
-	if (info->nentries) {
-		int ret = xt_compat_init_offsets(NFPROTO_BRIDGE,
-						 info->nentries);
-		if (ret)
-			return ret;
-	}
+	ret = ebt_compat_init_offsets(info->nentries);
+	if (ret)
+		return ret;
 
 	return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
 							entries, newinfo);
@@ -2241,11 +2249,9 @@ static int compat_do_replace(struct net *net, void __user *user,
 
 	xt_compat_lock(NFPROTO_BRIDGE);
 
-	if (tmp.nentries) {
-		ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
-		if (ret < 0)
-			goto out_unlock;
-	}
+	ret = ebt_compat_init_offsets(tmp.nentries);
+	if (ret < 0)
+		goto out_unlock;
 
 	ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
 	if (ret < 0)
-- 
2.20.1


  parent reply index

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20190814021548.16001-1-sashal@kernel.org>
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 06/68] netfilter: ebtables: fix a memory leak bug in compat Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 08/68] selftests/bpf: fix sendmsg6_prog on s390 Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 09/68] bonding: Force slave speed check after link state recovery for 802.3ad Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 10/68] net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 11/68] selftests: forwarding: gre_multipath: Enable IPv4 forwarding Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 12/68] selftests: forwarding: gre_multipath: Fix flower filters Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 13/68] can: dev: call netif_carrier_off() in register_candev() Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 14/68] can: mcp251x: add error check when wq alloc failed Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 15/68] can: gw: Fix error path of cgw_module_init Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 17/68] st21nfca_connectivity_event_received: null check the allocation Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 18/68] st_nci_hci_connectivity_event_received: " Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 21/68] net: usb: qmi_wwan: Add the BroadMobi BM818 card Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 22/68] qed: RDMA - Fix the hw_ver returned in device attributes Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 23/68] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 24/68] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 25/68] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 26/68] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 27/68] netfilter: ipset: Fix rename concurrency with listing Sasha Levin
2019-08-14  2:15 ` Sasha Levin [this message]
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 29/68] rxrpc: Fix potential deadlock Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 30/68] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 32/68] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 33/68] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 36/68] net: usb: pegasus: fix improper read if get_registers() fail Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 37/68] can: sja1000: force the string buffer NULL-terminated Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 38/68] can: peak_usb: " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 39/68] net/ethernet/qlogic/qed: " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 52/68] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 53/68] net: stmmac: Fix issues when number of Queues >= 4 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 54/68] net: stmmac: tc: Do not return a fragment entry Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 55/68] net: hisilicon: make hip04_tx_reclaim non-reentrant Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 56/68] net: hisilicon: fix hip04-xmit never return TX_BUSY Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 57/68] net: hisilicon: Fix dma_map_single failed on arm64 Sasha Levin

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190814021548.16001-28-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=fw@strlen.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+276ddebab3382bbf72db@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org netdev@archiver.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox