From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Francesco Ruggeri <fruggeri@arista.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Zubin Mithra <zsm@chromium.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 01/51] netfilter: compat: initialize all fields in xt_init
Date: Wed, 15 May 2019 12:55:36 +0200 [thread overview]
Message-ID: <20190515090618.008520070@linuxfoundation.org> (raw)
In-Reply-To: <20190515090616.669619870@linuxfoundation.org>
commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f upstream
If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
time, the following panic can be caused by running
% ebtables -t broute -F BROUTING
from a 32-bit user level on a 64-bit kernel. This patch replaces
kmalloc_array with kcalloc when allocating xt.
[ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920
[ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
[ 474.693838] Oops: 0000 [#1] SMP
[ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
[ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
[ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
[ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
[ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
[ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
[ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
[ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
[ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
[ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
[ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
[ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
[ 474.802052] Call Trace:
[ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables]
[ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
[ 474.815605] ? try_module_get+0x37/0x42
[ 474.819716] compat_nf_setsockopt+0x4f/0x6d
[ 474.824172] compat_ip_setsockopt+0x7e/0x8c
[ 474.828641] compat_raw_setsockopt+0x16/0x3a
[ 474.833220] compat_sock_common_setsockopt+0x1d/0x24
[ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1
[ 474.843343] ? __check_object_size+0x76/0x19a
[ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b
[ 474.853276] do_fast_syscall_32+0xaf/0xf6
[ 474.857548] entry_SYSENTER_compat+0x6b/0x7a
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/x_tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 751fec729ffb0..e065140d0c93b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1728,7 +1728,7 @@ static int __init xt_init(void)
seqcount_init(&per_cpu(xt_recseq, i));
}
- xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
+ xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
if (!xt)
return -ENOMEM;
--
2.20.1
next prev parent reply other threads:[~2019-05-15 11:13 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 10:55 [PATCH 4.9 00/51] 4.9.177-stable review Greg Kroah-Hartman
2019-05-15 10:55 ` Greg Kroah-Hartman [this message]
2019-05-15 10:55 ` [PATCH 4.9 02/51] bpf: fix struct htab_elem layout Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 03/51] bpf: convert htab map to hlist_nulls Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 04/51] platform/x86: sony-laptop: Fix unintentional fall-through Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 05/51] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 06/51] iio: adc: xilinx: fix potential use-after-free on remove Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 07/51] libnvdimm/namespace: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 08/51] HID: input: add mapping for Expose/Overview key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 09/51] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 10/51] HID: input: add mapping for "Toggle Display" key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 11/51] libnvdimm/btt: Fix a kmemdup failure check Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 12/51] s390/dasd: Fix capacity calculation for large volumes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 13/51] mac80211: fix unaligned access in mesh table hash function Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 14/51] s390/3270: fix lockdep false positive on view->lock Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 15/51] mISDN: Check address length before reading address family Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 16/51] x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 17/51] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 18/51] tools lib traceevent: Fix missing equality check for strcmp Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 19/51] init: initialize jump labels before command line option parsing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 20/51] selftests: netfilter: check icmp pkttoobig errors are set as related Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 21/51] ipvs: do not schedule icmp errors from tunnels Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 22/51] MIPS: perf: ath79: Fix perfcount IRQ assignment Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 23/51] s390: ctcm: fix ctcm_new_device error return code Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 24/51] drm/sun4i: Set device driver data at bind time for use in unbind Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 25/51] selftests/net: correct the return value for run_netsocktests Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 26/51] gpu: ipu-v3: dp: fix CSC handling Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 27/51] spi: Micrel eth switch: declare missing of table Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 28/51] spi: ST ST95HF NFC: " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 29/51] Input: synaptics-rmi4 - fix possible double free Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 30/51] cw1200: fix missing unlock on error in cw1200_hw_scan() Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 31/51] ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 32/51] rtlwifi: rtl8723ae: Fix missing break in switch statement Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 33/51] Dont jump to compute_result state from check_result state Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 34/51] Revert "x86/vdso: Drop implicit common-page-size linker flag" Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 35/51] Revert "x86: vdso: Use $LD instead of $CC to link" Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 36/51] x86: vdso: Use $LD instead of $CC to link Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 37/51] x86/vdso: Drop implicit common-page-size linker flag Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 38/51] x86/vdso: Pass --eh-frame-hdr to the linker Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 39/51] powerpc/64s: Include cpu header Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 40/51] bridge: Fix error path for kobject_init_and_add() Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 41/51] fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied Greg Kroah-Hartman
2019-05-19 15:43 ` Nathan Chancellor
2019-05-19 20:27 ` Florian Westphal
2019-05-20 2:00 ` Hangbin Liu
2019-05-20 0:11 ` Sasha Levin
2019-05-20 0:29 ` David Ahern
2019-05-20 9:04 ` Greg Kroah-Hartman
2019-05-20 9:11 ` Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 42/51] net: ucc_geth - fix Oops when changing number of buffers in the ring Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 43/51] packet: Fix error path in packet_init Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 44/51] vlan: disable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 45/51] vrf: sit mtu should not be updated when vrf netdev is the link Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 46/51] ipv4: Fix raw socket lookup for local traffic Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 47/51] bonding: fix arp_validate toggling in active-backup mode Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 48/51] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 49/51] drivers/virt/fsl_hypervisor.c: prevent integer overflow " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 50/51] powerpc/lib: fix book3s/32 boot failure due to code patching Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 51/51] powerpc/booke64: set RI in default MSR Greg Kroah-Hartman
2019-05-15 18:27 ` [PATCH 4.9 00/51] 4.9.177-stable review kernelci.org bot
2019-05-15 19:54 ` Naresh Kamboju
2019-05-16 3:34 ` Guenter Roeck
2019-05-16 11:00 ` Jon Hunter
2019-05-16 11:00 ` Jon Hunter
2019-05-16 14:09 ` shuah
2019-05-17 6:33 ` Kelsey Skunberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515090618.008520070@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fruggeri@arista.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.