From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hans Schillstrom <hans@schillstrom.com>,
Julian Anastasov <ja@ssi.bg>, Simon Horman <horms@verge.net.au>,
"David S. Miller" <davem@davemloft.net>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [ 17/73] ipvs: ip_vs_sip_fill_param() BUG: bad check of return value
Date: Thu, 9 May 2013 15:31:40 -0700 [thread overview]
Message-ID: <20130509222759.825304902@linuxfoundation.org> (raw)
In-Reply-To: <20130509222757.917088509@linuxfoundation.org>
3.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Schillstrom <hans@schillstrom.com>
commit f7a1dd6e3ad59f0cfd51da29dfdbfd54122c5916 upstream.
The reason for this patch is crash in kmemdup
caused by returning from get_callid with uniialized
matchoff and matchlen.
Removing Zero check of matchlen since it's done by ct_sip_get_header()
BUG: unable to handle kernel paging request at ffff880457b5763f
IP: [<ffffffff810df7fc>] kmemdup+0x2e/0x35
PGD 27f6067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: xt_state xt_helper nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle xt_connmark xt_conntrack ip6_tables nf_conntrack_ftp ip_vs_ftp nf_nat xt_tcpudp iptable_mangle xt_mark ip_tables x_tables ip_vs_rr ip_vs_lblcr ip_vs_pe_sip ip_vs nf_conntrack_sip nf_conntrack bonding igb i2c_algo_bit i2c_core
CPU 5
Pid: 0, comm: swapper/5 Not tainted 3.9.0-rc5+ #5 /S1200KP
RIP: 0010:[<ffffffff810df7fc>] [<ffffffff810df7fc>] kmemdup+0x2e/0x35
RSP: 0018:ffff8803fea03648 EFLAGS: 00010282
RAX: ffff8803d61063e0 RBX: 0000000000000003 RCX: 0000000000000003
RDX: 0000000000000003 RSI: ffff880457b5763f RDI: ffff8803d61063e0
RBP: ffff8803fea03658 R08: 0000000000000008 R09: 0000000000000011
R10: 0000000000000011 R11: 00ffffffff81a8a3 R12: ffff880457b5763f
R13: ffff8803d67f786a R14: ffff8803fea03730 R15: ffffffffa0098e90
FS: 0000000000000000(0000) GS:ffff8803fea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff880457b5763f CR3: 0000000001a0c000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper/5 (pid: 0, threadinfo ffff8803ee18c000, task ffff8803ee18a480)
Stack:
ffff8803d822a080 000000000000001c ffff8803fea036c8 ffffffffa000937a
ffffffff81f0d8a0 000000038135fdd5 ffff880300000014 ffff880300110000
ffffffff150118ac ffff8803d7e8a000 ffff88031e0118ac 0000000000000000
Call Trace:
<IRQ>
[<ffffffffa000937a>] ip_vs_sip_fill_param+0x13a/0x187 [ip_vs_pe_sip]
[<ffffffffa007b209>] ip_vs_sched_persist+0x2c6/0x9c3 [ip_vs]
[<ffffffff8107dc53>] ? __lock_acquire+0x677/0x1697
[<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
[<ffffffff8100972e>] ? native_sched_clock+0x3c/0x7d
[<ffffffff810649bc>] ? sched_clock_cpu+0x43/0xcf
[<ffffffffa007bb1e>] ip_vs_schedule+0x181/0x4ba [ip_vs]
...
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipvs/ip_vs_pe_sip.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
@@ -37,14 +37,10 @@ static int get_callid(const char *dptr,
if (ret > 0)
break;
if (!ret)
- return 0;
+ return -EINVAL;
dataoff += *matchoff;
}
- /* Empty callid is useless */
- if (!*matchlen)
- return -EINVAL;
-
/* Too large is useless */
if (*matchlen > IP_VS_PEDATA_MAXLEN)
return -EINVAL;
next prev parent reply other threads:[~2013-05-09 22:58 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-09 22:31 [ 00/73] 3.8.13-stable review Greg Kroah-Hartman
2013-05-09 22:31 ` [ 01/73] xen/arm: actually pass a non-NULL percpu pointer to request_percpu_irq Greg Kroah-Hartman
2013-05-09 22:31 ` [ 02/73] powerpc: Emulate non privileged DSCR read and write Greg Kroah-Hartman
2013-05-09 22:31 ` [ 03/73] powerpc: fix numa distance for form0 device tree Greg Kroah-Hartman
2013-05-09 22:31 ` [ 04/73] pwm: spear: Fix checking return value of clk_enable() and clk_prepare() Greg Kroah-Hartman
2013-05-09 22:31 ` [ 05/73] autofs - remove autofs dentry mount check Greg Kroah-Hartman
2013-05-09 22:31 ` [ 06/73] hugetlbfs: fix mmap failure in unaligned size request Greg Kroah-Hartman
2013-05-09 22:31 ` [ 07/73] iommu/amd: Properly initialize irq-table lock Greg Kroah-Hartman
2013-05-09 22:31 ` [ 08/73] net/eth/ibmveth: Fixup retrieval of MAC address Greg Kroah-Hartman
2013-05-09 22:31 ` [ 09/73] perf/x86/intel: Add support for IvyBridge model 58 Uncore Greg Kroah-Hartman
2013-05-09 22:31 ` [ 10/73] perf/x86/intel: Fix unintended variable name reuse Greg Kroah-Hartman
2013-05-09 22:31 ` [ 11/73] perf/x86/intel/lbr: Fix LBR filter Greg Kroah-Hartman
2013-05-09 22:31 ` [ 12/73] perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL Greg Kroah-Hartman
2013-05-09 22:31 ` [ 13/73] PCI/PM: Clear state_saved during suspend Greg Kroah-Hartman
2013-05-09 22:31 ` [ 14/73] e1000e: fix runtime power management transitions Greg Kroah-Hartman
2013-05-09 22:31 ` [ 15/73] e1000e: fix accessing to suspended device Greg Kroah-Hartman
2013-05-09 22:31 ` [ 16/73] xhci: Dont warn on empty ring for suspended devices Greg Kroah-Hartman
2013-05-09 22:31 ` Greg Kroah-Hartman [this message]
2013-05-09 22:31 ` [ 18/73] netfilter: nf_nat: fix race when unloading protocol modules Greg Kroah-Hartman
2013-05-09 22:31 ` [ 19/73] netfilter: ipset: list:set: fix reference counter update Greg Kroah-Hartman
2013-05-09 22:31 ` [ 20/73] netfilter: nf_ct_sip: dont drop packets with offsets pointing outside the packet Greg Kroah-Hartman
2013-05-09 22:31 ` [ 21/73] netfilter: ipset: "Directory not empty" error message Greg Kroah-Hartman
2013-05-09 22:31 ` [ 22/73] netfilter: nf_ct_helper: dont discard helper if it is actually the same Greg Kroah-Hartman
2013-05-09 22:31 ` [ 23/73] netfilter: ctnetlink: dont permit ct creation with random tuple Greg Kroah-Hartman
2013-05-09 22:31 ` [ 24/73] netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too Greg Kroah-Hartman
2013-05-09 22:31 ` [ 25/73] netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths Greg Kroah-Hartman
2013-05-09 22:31 ` [ 26/73] ext4: add check for inodes_count overflow in new resize ioctl Greg Kroah-Hartman
2013-05-09 22:31 ` [ 27/73] r8169: fix 8168evl frame padding Greg Kroah-Hartman
2013-05-09 22:31 ` [ 28/73] RDMA/cxgb4: Fix SQ allocation when on-chip SQ is disabled Greg Kroah-Hartman
2013-05-09 22:31 ` [ 29/73] arm64: Ignore the write ESR flag on cache maintenance faults Greg Kroah-Hartman
2013-05-09 22:31 ` [ 30/73] block: fix max discard sectors limit Greg Kroah-Hartman
2013-05-09 22:31 ` [ 31/73] drm/cirrus: deal with bo reserve fail in dirty update path Greg Kroah-Hartman
2013-05-09 22:31 ` [ 32/73] drm/mgag200: " Greg Kroah-Hartman
2013-05-09 22:31 ` [ 33/73] drm/gma500: fix backlight hotkeys behaviour on netbooks Greg Kroah-Hartman
2013-05-09 22:31 ` [ 34/73] drm/prime: keep a reference from the handle to exported dma-buf (v6) Greg Kroah-Hartman
2013-05-09 22:31 ` [ 35/73] drm/ast: deal with bo reserve fail in dirty update path Greg Kroah-Hartman
2013-05-09 22:31 ` [ 36/73] drm/i915: Fix detection of base of stolen memory Greg Kroah-Hartman
2013-05-09 22:32 ` [ 37/73] drm/i915: Fix sdvo connector get_hw_state function Greg Kroah-Hartman
2013-05-09 22:32 ` [ 38/73] drm/i915: Add no-lvds quirk for Fujitsu Esprimo Q900 Greg Kroah-Hartman
2013-05-09 22:32 ` [ 39/73] drm/i915: Fix SDVO connector and encoder get_hw_state functions Greg Kroah-Hartman
2013-05-09 22:32 ` [ 40/73] drm/i915: Workaround incoherence between fences and LLC across multiple CPUs Greg Kroah-Hartman
2013-05-09 22:32 ` [ 41/73] drm/i915: Use MLC (l3$) for context objects Greg Kroah-Hartman
2013-05-09 22:32 ` [ 42/73] drm/i915: set CPT FDI RX polarity bits based on VBT Greg Kroah-Hartman
2013-05-09 22:32 ` [ 43/73] drm/i915: ensure single initialization and cleanup of backlight device Greg Kroah-Hartman
2013-05-09 22:32 ` [ 44/73] drm/i915: Fixup Oops in the pipe config computation Greg Kroah-Hartman
2013-05-09 22:32 ` [ 45/73] drm/i915: Fall back to bit banging mode for DVO transmitter detection Greg Kroah-Hartman
2013-05-09 22:32 ` [ 46/73] drm/radeon: dont use get_engine_clock() on APUs Greg Kroah-Hartman
2013-05-09 22:32 ` [ 47/73] drm/radeon: use frac fb div on RS780/RS880 Greg Kroah-Hartman
2013-05-09 22:32 ` [ 48/73] drm/radeon: fix typo in rv515_mc_resume() Greg Kroah-Hartman
2013-05-09 22:32 ` [ 49/73] drm/radeon/dce6: add missing display reg for tiling setup Greg Kroah-Hartman
2013-05-09 22:32 ` [ 50/73] drm/radeon: update wait_for_vblank for r5xx-r7xx Greg Kroah-Hartman
2013-05-09 22:32 ` [ 51/73] drm/radeon: update wait_for_vblank for evergreen+ Greg Kroah-Hartman
2013-05-09 22:32 ` [ 52/73] drm/radeon: properly lock disp in mc_stop/resume " Greg Kroah-Hartman
2013-05-09 22:32 ` [ 53/73] drm/radeon: properly lock disp in mc_stop/resume for r5xx-r7xx Greg Kroah-Hartman
2013-05-09 22:32 ` [ 54/73] drm/radeon: update wait_for_vblank for r1xx-r4xx Greg Kroah-Hartman
2013-05-09 22:32 ` [ 55/73] drm/radeon: disable the crtcs in mc_stop (evergreen+) (v2) Greg Kroah-Hartman
2013-05-09 22:32 ` [ 56/73] drm/radeon: add some new SI PCI ids Greg Kroah-Hartman
2013-05-09 22:32 ` [ 57/73] drm/radeon/evergreen+: dont enable HPD interrupts on eDP/LVDS Greg Kroah-Hartman
2013-05-09 22:32 ` [ 58/73] drm/radeon: cleanup properly if mmio mapping fails Greg Kroah-Hartman
2013-05-09 22:32 ` [ 59/73] drm/radeon: fix hdmi mode enable on RS600/RS690/RS740 Greg Kroah-Hartman
2013-05-09 22:32 ` [ 60/73] drm/radeon: fix typo in si_select_se_sh() Greg Kroah-Hartman
2013-05-09 22:32 ` [ 61/73] drm/radeon: Always flush the VM Greg Kroah-Hartman
2013-05-09 22:32 ` [ 62/73] drm/radeon: disable the crtcs in mc_stop (r5xx-r7xx) (v2) Greg Kroah-Hartman
2013-05-09 22:32 ` [ 63/73] drm/radeon: fix endian bugs in atom_allocate_fb_scratch() Greg Kroah-Hartman
2013-05-09 22:32 ` [ 64/73] drm/radeon: fix possible segfault when parsing pm tables Greg Kroah-Hartman
2013-05-09 22:32 ` [ 65/73] drm/radeon: add new richland pci ids Greg Kroah-Hartman
2013-05-09 22:32 ` [ 66/73] drm/radeon: fix handling of v6 power tables Greg Kroah-Hartman
2013-05-09 22:32 ` [ 67/73] tracing: Fix ftrace_dump() Greg Kroah-Hartman
2013-05-09 22:32 ` [ 68/73] Btrfs: compare relevant parts of delayed tree refs Greg Kroah-Hartman
2013-05-09 22:32 ` [ 69/73] Btrfs: fix extent logging with O_DIRECT into prealloc Greg Kroah-Hartman
2013-05-09 22:32 ` [ 70/73] EDAC: Dont give write permission to read-only files Greg Kroah-Hartman
2013-05-09 22:32 ` [ 71/73] NFSv4.x: Fix handling of partially delegated locks Greg Kroah-Hartman
2013-05-09 22:32 ` [ 72/73] kernel/audit_tree.c: tree will leak memory when failure occurs in audit_trim_trees() Greg Kroah-Hartman
2013-05-09 22:32 ` [ 73/73] x86/mm: account for PGDIR_SIZE alignment Greg Kroah-Hartman
2013-05-10 10:54 ` [ 00/73] 3.8.13-stable review Holger Hoffstaette
2013-05-15 0:07 ` r8169 on 3.8.13, 3.9.2, 3.10-rc1, was " Ken Moffat
2013-05-15 0:07 ` Ken Moffat
2013-05-15 6:14 ` Francois Romieu
2013-05-15 17:09 ` Ken Moffat
2013-05-15 17:09 ` Ken Moffat
2013-05-15 20:39 ` David Miller
2013-05-15 23:15 ` David Miller
2013-05-15 8:31 ` Holger Hoffstaette
2013-05-10 15:24 ` Shuah Khan
2013-05-10 15:24 ` Shuah Khan
2013-05-11 6:03 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130509222759.825304902@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=hans@schillstrom.com \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.