From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=lxM9=RP=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: *
X-Spam-Status: No, score=1.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FSL_HELO_FAKE,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F1DF1C10F00
	for <stable@archiver.kernel.org>; Tue, 12 Mar 2019 18:08:02 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id AE64D205C9
	for <stable@archiver.kernel.org>; Tue, 12 Mar 2019 18:08:02 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="QYTPyB0p"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728130AbfCLSH7 (ORCPT <rfc822;stable@archiver.kernel.org>);
        Tue, 12 Mar 2019 14:07:59 -0400
Received: from mail-pf1-f178.google.com ([209.85.210.178]:46960 "EHLO
        mail-pf1-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727540AbfCLSH7 (ORCPT
        <rfc822;stable@vger.kernel.org>); Tue, 12 Mar 2019 14:07:59 -0400
Received: by mail-pf1-f178.google.com with SMTP id s23so2362097pfe.13
        for <stable@vger.kernel.org>; Tue, 12 Mar 2019 11:07:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=8xjip6bvbilVa8p2zg8ASV2hTwQ1b7hSYp3sFqBYb5c=;
        b=QYTPyB0pMJSC1DKB3Y7O/2bp/NQl8Bo8UJY6vOlfWwgFUWIGDacsEdLC94OPCysrVx
         gkRaVfiHMK9iYm0v/OSKgVqAk72R6RvRbAfbsNHif6+X+qoZ+CSNG522ueDWJKFGUqVJ
         xlKFZ2SEE99AixGdUPxT2teE3NaJK4XJnRce4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=8xjip6bvbilVa8p2zg8ASV2hTwQ1b7hSYp3sFqBYb5c=;
        b=kAZEPs1ygntJXmmOmpJz3WkGor+7wyeL6B49dVu8e4TA7cyMEWP65sDbju/qbrmqw6
         CoIZZoqDJ8jXiIaQ2jN8wWmpb384jldq5qaSGDXqCgUaQ5FKXQgC2rdQTg4rmbIA6D8B
         Hqt8v6a5Qrt9PkBpPw/WOC6KGOgNAOFl9rfkBngWUsiZZfgWuLHSX15UAlAKzrPu6snD
         QxnHyTfVZCaPInayLB9cszNV170cZrbQ4LYZJg9/XDnaJSIZgRfXC+VDTzyl544eONvZ
         UcJEXq74VWa8hDh4PQRH7+jenOtsQCGXfuF0M05q8JBT2pT5o39ncUz/e15mtOF4WRU5
         df+w==
X-Gm-Message-State: APjAAAVxHZj6lqQw/kjDKOFXzGc+k5IVlRUvOhId/TlcfXx7d0+3+byB
        7EvS8pQhsh9BOPsTQ7GSABe7D8SQqu4=
X-Google-Smtp-Source: APXvYqwHrHr4wgmPCaP4TdYvHHoeEwf6prDMbDIlCDOrfE8vkNUgXhdK9bvdhKk7HHIJjk9Z0t0dKg==
X-Received: by 2002:a65:5c41:: with SMTP id v1mr30656790pgr.404.1552414077902;
        Tue, 12 Mar 2019 11:07:57 -0700 (PDT)
Received: from google.com ([2620:15c:202:201:49ea:b78f:4f04:4d25])
        by smtp.googlemail.com with ESMTPSA id x7sm578240pgc.7.2019.03.12.11.07.56
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 12 Mar 2019 11:07:57 -0700 (PDT)
Date:   Tue, 12 Mar 2019 11:07:53 -0700
From:   Zubin Mithra <zsm@chromium.org>
To:     stable@vger.kernel.org
Cc:     groeck@chromium.org, gregkh@linuxfoundation.org,
        pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de,
        sploving1@gmail.com
Subject: b301f2538759 ("netfilter: x_tables: enforce nul-terminated table
 name from getsockopt GET_ENTRIES")
Message-ID: <20190312180752.GA162337@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

Hello,

Syzkaller has triggered a stack OOB read when fuzzing a 4.4 kernel with the following stacktrace.

Call Trace:
 [<ffffffff81cb9fad>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81cb9fad>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff815275e9>] print_address_description mm/kasan/report.c:199 [inline]
 [<ffffffff815275e9>] kasan_report_error mm/kasan/report.c:285 [inline]
 [<ffffffff815275e9>] kasan_report.part.2.cold.3+0x447/0x4ec mm/kasan/report.c:310
 [<ffffffff814eca2e>] kasan_report mm/kasan/report.c:328 [inline]
 [<ffffffff814eca2e>] __asan_report_load1_noabort+0x2e/0x30 mm/kasan/report.c:328
 [<ffffffff81cd54d1>] strnlen+0xc1/0xd0 lib/string.c:498
 [<ffffffff81cdd6ac>] string.isra.4+0x4c/0x250 lib/vsprintf.c:518
 [<ffffffff81ce27da>] vsnprintf+0x42a/0x18c0 lib/vsprintf.c:1904
 [<ffffffff8114fd73>] __request_module+0x153/0x7a0 kernel/kmod.c:146
 [<ffffffff82986521>] find_inlist_lock.constprop.15+0x111/0x210 net/bridge/netfilter/ebtables.c:347
 [<ffffffff8298a942>] find_table_lock net/bridge/netfilter/ebtables.c:356 [inline]
 [<ffffffff8298a942>] do_ebt_get_ctl+0x152/0x570 net/bridge/netfilter/ebtables.c:1531
 [<ffffffff823e8bc5>] nf_sockopt net/netfilter/nf_sockopt.c:103 [inline]
 [<ffffffff823e8bc5>] nf_getsockopt+0x75/0xd0 net/netfilter/nf_sockopt.c:121
 [<ffffffff8261d60d>] ip_getsockopt+0x12d/0x170 net/ipv4/ip_sockglue.c:1533
 [<ffffffff826411cd>] tcp_getsockopt+0x8d/0xe0 net/ipv4/tcp.c:3040
 [<ffffffff82250c0f>] sock_common_getsockopt+0x9f/0xe0 net/core/sock.c:2652
 [<ffffffff8224e45d>] SYSC_getsockopt net/socket.c:1811 [inline]
 [<ffffffff8224e45d>] SyS_getsockopt+0x14d/0x230 net/socket.c:1793
 [<ffffffff82a5f3cf>] tracesys_phase2+0x90/0x95

Could the following patch be applied to v4.4.y? The patch is present in v4.9.y.
* b301f2538759 ("netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES")

Tests run:
* Chrome OS tryjobs
* Syzkaller reproducer


Thanks,
- Zubin