[patch 06/20] nfnetlink_log: fix NULL pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	netfilter-devel@lists.netfilter.org,
	Justin Forbes <jmforbes@linuxtx.org>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	davem@davemloft.net, Randy Dunlap <rdunlap@xenotime.net>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>, Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	akpm@linux-foundation.org,
	Micha Mirosaw <mirq-linux@rere.qmqm.pl>,
	torvalds@linux-foundation.org, Patrick McHardy <kaber@trash.net>,
	alan@lxorguk.ukuu.org.uk
Subject: [patch 06/20] nfnetlink_log: fix NULL pointer dereference
Date: Fri, 9 Mar 2007 22:17:18 -0800	[thread overview]
Message-ID: <20070310061718.GG31412@kroah.com> (raw)
In-Reply-To: <20070310061603.GA31412@kroah.com>

[-- Attachment #1: nfnetlink_log-fix-null-pointer-dereference.patch --]
[-- Type: text/plain, Size: 2737 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Micha Mirosaw <mirq-linux@rere.qmqm.pl>

[NETFILTER]: nfnetlink_log: fix NULL pointer dereference

Fix the nasty NULL dereference on multiple packets per netlink message.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
 printing eip:
f8a4b3bf
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack
_ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i
pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma
p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_
cd cdrom
CPU:    0
EIP:    0060:[<f8a4b3bf>]    Not tainted VLI
EFLAGS: 00010206   (2.6.20 #5)
EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log]
eax: 00000000   ebx: f2b5cbc0   ecx: c03f5f54   edx: c03f4000
esi: f2b5cbc8   edi: c03f5f54   ebp: f8a4b3ec   esp: c03f5f30
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000)
Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000
       c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009
       c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000
Call Trace:
 [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log]
 [<c012af49>] run_timer_softirq+0x10a/0x164
 [<c0126932>] __do_softirq+0x60/0xba
 [<c01269bd>] do_softirq+0x31/0x35
 [<c0104f6e>] do_IRQ+0x62/0x74
 [<c01036cb>] common_interrupt+0x23/0x28
 [<c0101018>] default_idle+0x0/0x3f
 [<c0101045>] default_idle+0x2d/0x3f
 [<c01010fa>] cpu_idle+0xa0/0xb9
 [<c03fb7f5>] start_kernel+0x1a8/0x1ac
 [<c03fb293>] unknown_bootoption+0x0/0x181
 =======================
Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04
 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8
 08 9a 84
EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30
 <0>Kernel panic - not syncing: Fatal exception in interrupt
 <0>Rebooting in 5 seconds..

Panic no more!

Signed-off-by: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 net/netfilter/nfnetlink_log.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -564,6 +564,7 @@ __build_packet_message(struct nfulnl_ins
 	}
 		
 	nlh->nlmsg_len = inst->skb->tail - old_tail;
+	inst->lastnlh = nlh;
 	return 0;
 
 nlmsg_failure:

--

WARNING: multiple messages have this Message-ID (diff)

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, netfilter-devel@lists.netfilter.org,
	Patrick McHardy <kaber@trash.net>,
	davem@davemloft.net, Micha Mirosaw <mirq-linux@rere.qmqm.pl>
Subject: [patch 06/20] nfnetlink_log: fix NULL pointer dereference
Date: Fri, 9 Mar 2007 22:17:18 -0800	[thread overview]
Message-ID: <20070310061718.GG31412@kroah.com> (raw)
In-Reply-To: <20070310061603.GA31412@kroah.com>

[-- Attachment #1: nfnetlink_log-fix-null-pointer-dereference.patch --]
[-- Type: text/plain, Size: 2737 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Micha Mirosaw <mirq-linux@rere.qmqm.pl>

[NETFILTER]: nfnetlink_log: fix NULL pointer dereference

Fix the nasty NULL dereference on multiple packets per netlink message.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
 printing eip:
f8a4b3bf
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack
_ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i
pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma
p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_
cd cdrom
CPU:    0
EIP:    0060:[<f8a4b3bf>]    Not tainted VLI
EFLAGS: 00010206   (2.6.20 #5)
EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log]
eax: 00000000   ebx: f2b5cbc0   ecx: c03f5f54   edx: c03f4000
esi: f2b5cbc8   edi: c03f5f54   ebp: f8a4b3ec   esp: c03f5f30
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000)
Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000
       c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009
       c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000
Call Trace:
 [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log]
 [<c012af49>] run_timer_softirq+0x10a/0x164
 [<c0126932>] __do_softirq+0x60/0xba
 [<c01269bd>] do_softirq+0x31/0x35
 [<c0104f6e>] do_IRQ+0x62/0x74
 [<c01036cb>] common_interrupt+0x23/0x28
 [<c0101018>] default_idle+0x0/0x3f
 [<c0101045>] default_idle+0x2d/0x3f
 [<c01010fa>] cpu_idle+0xa0/0xb9
 [<c03fb7f5>] start_kernel+0x1a8/0x1ac
 [<c03fb293>] unknown_bootoption+0x0/0x181
 =======================
Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04
 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8
 08 9a 84
EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30
 <0>Kernel panic - not syncing: Fatal exception in interrupt
 <0>Rebooting in 5 seconds..

Panic no more!

Signed-off-by: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


---
 net/netfilter/nfnetlink_log.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -564,6 +564,7 @@ __build_packet_message(struct nfulnl_ins
 	}
 		
 	nlh->nlmsg_len = inst->skb->tail - old_tail;
+	inst->lastnlh = nlh;
 	return 0;
 
 nlmsg_failure:

--

next prev parent reply	other threads:[~2007-03-10  6:17 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20070310061234.465093436@mini.kroah.org>
2007-03-10  6:16 ` [patch 00/20] 2.6.20-stable review Greg KH
2007-03-10  6:16   ` [patch 01/20] conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops Greg KH
2007-03-10  6:16     ` Greg KH
2007-03-10  6:16   ` [patch 02/20] nf_conntrack/nf_nat: fix incorrect config ifdefs Greg KH
2007-03-10  6:16     ` Greg KH
2007-03-10  6:16   ` [patch 03/20] tcp conntrack: accept SYN|URG as valid Greg KH
2007-03-10  6:17   ` [patch 04/20] nfnetlink_log: fix reference leak Greg KH
2007-03-10  6:17     ` Greg KH
2007-03-10  6:17   ` [patch 05/20] nfnetlink_log: fix use after free Greg KH
2007-03-10  6:17   ` Greg KH [this message]
2007-03-10  6:17     ` [patch 06/20] nfnetlink_log: fix NULL pointer dereference Greg KH
2007-03-10  6:17   ` [patch 07/20] nfnetlink_log: fix possible " Greg KH
2007-03-10  6:17   ` [patch 08/20] ip6_route_me_harder should take into account mark Greg KH
2007-03-10  6:17     ` Greg KH
2007-03-10  6:17   ` [patch 09/20] nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED Greg KH
2007-03-10  6:17     ` Greg KH
2007-03-10  6:17   ` [patch 10/20] nfnetlink_log: zero-terminate prefix Greg KH
2007-03-10  6:17   ` [patch 11/20] nfnetlink_log: fix crash on bridged packet Greg KH
2007-03-10  6:18   ` [patch 12/20] nfnetlink_log: fix reference counting Greg KH
2007-03-10  9:14     ` [stable] " Greg KH
2007-03-13 15:45       ` Patrick McHardy
2007-03-10  6:18   ` [patch 13/20] Fix bug 7994 sleeping function called from invalid context Greg KH
2007-03-10  6:18   ` [patch 14/20] bcm43xx: Fix problem with >1 GB RAM Greg KH
2007-03-10  6:18   ` [patch 15/20] Fix compat_getsockopt Greg KH
2007-03-10  6:18   ` [patch 16/20] fix for bugzilla #7544 (keyspan USB-to-serial converter) Greg KH
2007-03-10  6:18   ` [patch 17/20] Fix callback bug in connector Greg KH
2007-03-10  6:18   ` [patch 18/20] Fix sparc64 device register probing Greg KH
2007-03-10  6:18   ` [patch 19/20] Fix timewait jiffies Greg KH
2007-03-10  6:19   ` [patch 20/20] Fix UDP header pointer after pskb_trim_rcsum() Greg KH
2007-03-10  6:23   ` [patch 00/20] 2.6.20-stable review Greg KH
2007-03-10 21:43     ` Chuck Ebbert
2007-03-10 21:49       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070310061718.GG31412@kroah.com \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=jmforbes@linuxtx.org \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mirq-linux@rere.qmqm.pl \
    --cc=mkrufky@linuxtv.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.