From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.14 38/65] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
Date: Wed, 22 Jan 2020 10:29:23 +0100 [thread overview]
Message-ID: <20200122092756.358278429@linuxfoundation.org> (raw)
In-Reply-To: <20200122092750.976732974@linuxfoundation.org>
From: Florian Westphal <fw@strlen.de>
commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream.
An earlier commit (1b789577f655060d98d20e,
"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct")
fixed missing net initialization for arptables, but turns out it was
incomplete. We can get a very similar struct net NULL deref during
error unwinding:
general protection fault: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77
xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175
cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline]
translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587
do_replace net/ipv4/netfilter/arp_tables.c:981 [inline]
do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461
Also init the netns pointer in xt_tgdtor_param struct.
Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/netfilter/arp_tables.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -506,12 +506,13 @@ static inline int check_entry_size_and_h
return 0;
}
-static inline void cleanup_entry(struct arpt_entry *e)
+static void cleanup_entry(struct arpt_entry *e, struct net *net)
{
struct xt_tgdtor_param par;
struct xt_entry_target *t;
t = arpt_get_target(e);
+ par.net = net;
par.target = t->u.kernel.target;
par.targinfo = t->data;
par.family = NFPROTO_ARP;
@@ -601,7 +602,7 @@ static int translate_table(struct net *n
xt_entry_foreach(iter, entry0, newinfo->size) {
if (i-- == 0)
break;
- cleanup_entry(iter);
+ cleanup_entry(iter, net);
}
return ret;
}
@@ -926,7 +927,7 @@ static int __do_replace(struct net *net,
/* Decrease module usage counts and free resource */
loc_cpu_old_entry = oldinfo->entries;
xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
- cleanup_entry(iter);
+ cleanup_entry(iter, net);
xt_free_table_info(oldinfo);
if (copy_to_user(counters_ptr, counters,
@@ -990,7 +991,7 @@ static int do_replace(struct net *net, c
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
+ cleanup_entry(iter, net);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1287,7 +1288,7 @@ static int compat_do_replace(struct net
free_newinfo_untrans:
xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
- cleanup_entry(iter);
+ cleanup_entry(iter, net);
free_newinfo:
xt_free_table_info(newinfo);
return ret;
@@ -1514,7 +1515,7 @@ static int do_arpt_get_ctl(struct sock *
return ret;
}
-static void __arpt_unregister_table(struct xt_table *table)
+static void __arpt_unregister_table(struct net *net, struct xt_table *table)
{
struct xt_table_info *private;
void *loc_cpu_entry;
@@ -1526,7 +1527,7 @@ static void __arpt_unregister_table(stru
/* Decrease module usage counts and free resources */
loc_cpu_entry = private->entries;
xt_entry_foreach(iter, loc_cpu_entry, private->size)
- cleanup_entry(iter);
+ cleanup_entry(iter, net);
if (private->number > private->initial_entries)
module_put(table_owner);
xt_free_table_info(private);
@@ -1566,7 +1567,7 @@ int arpt_register_table(struct net *net,
ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
if (ret != 0) {
- __arpt_unregister_table(new_table);
+ __arpt_unregister_table(net, new_table);
*res = NULL;
}
@@ -1581,7 +1582,7 @@ void arpt_unregister_table(struct net *n
const struct nf_hook_ops *ops)
{
nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
- __arpt_unregister_table(table);
+ __arpt_unregister_table(net, table);
}
/* The built-in targets: standard (NULL) and error. */
next prev parent reply other threads:[~2020-01-22 9:50 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 9:28 [PATCH 4.14 00/65] 4.14.167-stable review Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 01/65] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 02/65] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 03/65] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 04/65] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 05/65] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 06/65] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 07/65] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 08/65] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 09/65] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 10/65] USB: serial: option: Add support for Quectel RM500Q Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 11/65] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 12/65] USB: serial: option: add support for Quectel RM500Q in QDL mode Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 13/65] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.14 14/65] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 15/65] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 16/65] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 17/65] USB: serial: quatech2: " Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 18/65] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 19/65] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 20/65] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Greg Kroah-Hartman
2020-01-23 23:01 ` Guenter Roeck
2020-01-24 7:38 ` Greg Kroah-Hartman
2020-04-20 14:15 ` Ben Hutchings
2020-01-22 9:29 ` [PATCH 4.14 21/65] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 22/65] x86/resctrl: Fix an imbalance in domain_remove_cpu() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 23/65] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 24/65] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 25/65] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 26/65] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 27/65] btrfs: fix memory leak in qgroup accounting Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 28/65] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 29/65] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 30/65] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 31/65] USB: serial: io_edgeport: use irqsave() in USBs complete callback Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 32/65] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 33/65] mm/huge_memory.c: make __thp_get_unmapped_area static Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 34/65] mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 35/65] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 36/65] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 37/65] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22 9:29 ` Greg Kroah-Hartman [this message]
2020-01-22 9:29 ` [PATCH 4.14 39/65] NFC: pn533: fix bulk-message timeout Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 40/65] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 41/65] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 42/65] hv_netvsc: Fix memory leak when removing rndis device Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 43/65] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 44/65] net: hns: fix soft lockup when there is not enough memory Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 45/65] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 46/65] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 47/65] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 48/65] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 49/65] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 50/65] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 51/65] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 52/65] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 53/65] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 54/65] tick/sched: Annotate lockless access to last_jiffies_update Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 55/65] Revert "arm64: dts: juno: add dma-ranges property" Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 56/65] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 57/65] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 58/65] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 59/65] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 60/65] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 61/65] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 62/65] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 63/65] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 64/65] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.14 65/65] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22 14:39 ` [PATCH 4.14 00/65] 4.14.167-stable review Naresh Kamboju
[not found] ` <20200122092750.976732974-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-01-22 14:58 ` Jon Hunter
2020-01-22 14:58 ` Jon Hunter
2020-01-22 19:00 ` Guenter Roeck
2020-01-22 20:53 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122092756.358278429@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.