From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Juhee Kang <claudiajkang@gmail.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 12/95] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
Date: Mon, 25 Oct 2021 21:14:09 +0200 [thread overview]
Message-ID: <20211025190958.656785010@linuxfoundation.org> (raw)
In-Reply-To: <20211025190956.374447057@linuxfoundation.org>
From: Juhee Kang <claudiajkang@gmail.com>
[ Upstream commit 902c0b1887522a099aa4e1e6b4b476c2fe5dd13e ]
Currently, when the rule related to IDLETIMER is added, idletimer_tg timer
structure is initialized by kmalloc on executing idletimer_tg_create
function. However, in this process timer->timer_type is not defined to
a specific value. Thus, timer->timer_type has garbage value and it occurs
kernel panic. So, this commit fixes the panic by initializing
timer->timer_type using kzalloc instead of kmalloc.
Test commands:
# iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
$ cat /sys/class/xt_idletimer/timers/test
Killed
Splat looks like:
BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
dump_stack_lvl+0x6e/0x9c
kasan_report.cold+0x112/0x117
? alarm_expires_remaining+0x49/0x70
__asan_load8+0x86/0xb0
alarm_expires_remaining+0x49/0x70
idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]
dev_attr_show+0x3c/0x60
sysfs_kf_seq_show+0x11d/0x1f0
? device_remove_bin_file+0x20/0x20
kernfs_seq_show+0xa4/0xb0
seq_read_iter+0x29c/0x750
kernfs_fop_read_iter+0x25a/0x2c0
? __fsnotify_parent+0x3d1/0x570
? iov_iter_init+0x70/0x90
new_sync_read+0x2a7/0x3d0
? __x64_sys_llseek+0x230/0x230
? rw_verify_area+0x81/0x150
vfs_read+0x17b/0x240
ksys_read+0xd9/0x180
? vfs_write+0x460/0x460
? do_syscall_64+0x16/0xc0
? lockdep_hardirqs_on+0x79/0x120
__x64_sys_read+0x43/0x50
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f0cdc819142
Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142
RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003
RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000
R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0
R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
Signed-off-by: Juhee Kang <claudiajkang@gmail.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_IDLETIMER.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 7b2f359bfce4..2f7cf5ecebf4 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -137,7 +137,7 @@ static int idletimer_tg_create(struct idletimer_tg_info *info)
{
int ret;
- info->timer = kmalloc(sizeof(*info->timer), GFP_KERNEL);
+ info->timer = kzalloc(sizeof(*info->timer), GFP_KERNEL);
if (!info->timer) {
ret = -ENOMEM;
goto out;
--
2.33.0
next prev parent reply other threads:[~2021-10-25 19:38 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 19:13 [PATCH 5.10 00/95] 5.10.76-rc1 review Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 01/95] parisc: math-emu: Fix fall-through warnings Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 02/95] xhci: add quirk for host controllers that dont update endpoint DCS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 03/95] io_uring: fix splice_fd_in checks backport typo Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 04/95] arm: dts: vexpress-v2p-ca9: Fix the SMB unit-address Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 05/95] ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 06/95] block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 07/95] xen/x86: prevent PVH type from getting clobbered Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 08/95] drm/amdgpu/display: fix dependencies for DRM_AMD_DC_SI Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 09/95] xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 10/95] xtensa: xtfpga: Try software restart before simulating CPU reset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 11/95] NFSD: Keep existing listeners on portlist error Greg Kroah-Hartman
2021-10-25 19:14 ` Greg Kroah-Hartman [this message]
2021-10-25 19:14 ` [PATCH 5.10 13/95] dma-debug: fix sg checks in debug_dma_map_sg() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 14/95] ASoC: wm8960: Fix clock configuration on slave mode Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 15/95] ice: fix getting UDP tunnel entry Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 16/95] netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 17/95] netfilter: ipvs: make global sysctl readonly in non-init netns Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 18/95] lan78xx: select CRC32 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 19/95] tcp: md5: Fix overlap between vrf and non-vrf keys Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 20/95] ipv6: When forwarding count rx stats on the orig netdev Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 21/95] net: dsa: lantiq_gswip: fix register definition Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 22/95] NIOS2: irqflags: rename a redefined register name Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 23/95] powerpc/smp: do not decrement idle task preempt count in CPU offline Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 24/95] net: hns3: reset DWRR of unused tc to zero Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 25/95] net: hns3: add limit ets dwrr bandwidth cannot be 0 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 26/95] net: hns3: schedule the polling again when allocation fails Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 27/95] net: hns3: fix vf reset workqueue cannot exit Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 28/95] net: hns3: disable sriov before unload hclge layer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 29/95] net: stmmac: Fix E2E delay mechanism Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 30/95] e1000e: Fix packet loss on Tiger Lake and later Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 31/95] ice: Add missing E810 device ids Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 32/95] drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 33/95] net: enetc: fix ethtool counter name for PM0_TERR Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 34/95] can: rcar_can: fix suspend/resume Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 35/95] can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 36/95] can: peak_pci: peak_pci_remove(): fix UAF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 37/95] can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 38/95] can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 39/95] can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 40/95] can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 41/95] can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 42/95] can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 43/95] ceph: skip existing superblocks that are blocklisted or shut down when mounting Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 44/95] ceph: fix handling of "meta" errors Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 45/95] ocfs2: fix data corruption after conversion from inline format Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 46/95] ocfs2: mount fails with buffer overflow in strlen Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 47/95] userfaultfd: fix a race between writeprotect and exit_mmap() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 48/95] elfcore: correct reference to CONFIG_UML Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 49/95] vfs: check fd has read access in kernel_read_file_from_fd() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 50/95] ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 51/95] ALSA: hda/realtek: Add quirk for Clevo PC50HS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 52/95] ASoC: DAPM: Fix missing kctl change notifications Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 53/95] audit: fix possible null-pointer dereference in audit_filter_rules Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 54/95] net: dsa: mt7530: correct ds->num_ports Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 55/95] powerpc64/idle: Fix SP offsets when saving GPRs Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 56/95] KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 57/95] KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 58/95] powerpc/idle: Dont corrupt back chain when going idle Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 59/95] mm, slub: fix mismatch between reconstructed freelist depth and cnt Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 60/95] mm, slub: fix potential memoryleak in kmem_cache_open() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 61/95] mm, slub: fix incorrect memcg slab count for bulk free Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 62/95] KVM: nVMX: promptly process interrupts delivered while in guest mode Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 63/95] nfc: nci: fix the UAF of rf_conn_info object Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 64/95] isdn: cpai: check ctr->cnr to avoid array index out of bound Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 65/95] netfilter: Kconfig: use default y instead of m for bool config option Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 66/95] selftests: netfilter: remove stray bash debug line Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 67/95] net: bridge: mcast: use multicast_membership_interval for IGMPv3 Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 68/95] drm: mxsfb: Fix NULL pointer dereference crash on unload Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 69/95] net: hns3: fix the max tx size according to user manual Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 70/95] gcc-plugins/structleak: add makefile var for disabling structleak Greg Kroah-Hartman
2021-10-25 20:56 ` Pavel Machek
2021-10-25 21:07 ` Brendan Higgins
2021-10-25 21:40 ` Pavel Machek
2021-10-25 19:15 ` [PATCH 5.10 71/95] ALSA: hda: intel: Allow repeatedly probing on codec configuration errors Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 72/95] btrfs: deal with errors when checking if a dir entry exists during log replay Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 73/95] net: stmmac: add support for dwmac 3.40a Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 74/95] ARM: dts: spear3xx: Fix gmac node Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 75/95] isdn: mISDN: Fix sleeping function called from invalid context Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 76/95] platform/x86: intel_scu_ipc: Update timeout value in comment Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 77/95] ALSA: hda: avoid write to STATESTS if controller is in reset Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 78/95] libperf tests: Fix test_stat_cpu Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 79/95] perf/x86/msr: Add Sapphire Rapids CPU support Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 80/95] Input: snvs_pwrkey - add clk handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 81/95] scsi: iscsi: Fix set_param() handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 82/95] scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 83/95] sched/scs: Reset the shadow stack when idle_task_exit Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 84/95] net: hns3: fix for miscalculation of rx unused desc Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 85/95] scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 86/95] can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 87/95] s390/pci: fix zpci_zdev_put() on reserve Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 88/95] bpf, test, cgroup: Use sk_{alloc,free} for test cases Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 89/95] usbnet: sanity check for maxpacket Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 90/95] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 91/95] tracing: Have all levels of checks prevent recursion Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 92/95] e1000e: Separate TGP board type from SPT Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 93/95] selftests: bpf: fix backported ASSERT_FALSE Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 94/95] ARM: 9122/1: select HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 95/95] pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume() Greg Kroah-Hartman
2021-10-25 21:09 ` [PATCH 5.10 00/95] 5.10.76-rc1 review Florian Fainelli
2021-10-25 21:37 ` Pavel Machek
2021-10-26 0:59 ` Shuah Khan
2021-10-26 1:14 ` Fox Chen
2021-10-26 7:17 ` Naresh Kamboju
2021-10-26 9:16 ` Jon Hunter
2021-10-26 18:27 ` Sudip Mukherjee
2021-10-26 19:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025190958.656785010@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=claudiajkang@gmail.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.