From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Francesco Ruggeri <fruggeri@arista.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.20 31/52] netfilter: compat: initialize all fields in xt_init
Date: Mon, 11 Mar 2019 15:54:55 -0400 [thread overview]
Message-ID: <20190311195516.137772-31-sashal@kernel.org> (raw)
In-Reply-To: <20190311195516.137772-1-sashal@kernel.org>
From: Francesco Ruggeri <fruggeri@arista.com>
[ Upstream commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f ]
If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
time, the following panic can be caused by running
% ebtables -t broute -F BROUTING
from a 32-bit user level on a 64-bit kernel. This patch replaces
kmalloc_array with kcalloc when allocating xt.
[ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920
[ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
[ 474.693838] Oops: 0000 [#1] SMP
[ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
[ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
[ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
[ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
[ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
[ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
[ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
[ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
[ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
[ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
[ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
[ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
[ 474.802052] Call Trace:
[ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables]
[ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
[ 474.815605] ? try_module_get+0x37/0x42
[ 474.819716] compat_nf_setsockopt+0x4f/0x6d
[ 474.824172] compat_ip_setsockopt+0x7e/0x8c
[ 474.828641] compat_raw_setsockopt+0x16/0x3a
[ 474.833220] compat_sock_common_setsockopt+0x1d/0x24
[ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1
[ 474.843343] ? __check_object_size+0x76/0x19a
[ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b
[ 474.853276] do_fast_syscall_32+0xaf/0xf6
[ 474.857548] entry_SYSENTER_compat+0x6b/0x7a
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/x_tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index aecadd471e1d..13e1ac333fa4 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1899,7 +1899,7 @@ static int __init xt_init(void)
seqcount_init(&per_cpu(xt_recseq, i));
}
- xt = kmalloc_array(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
+ xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
if (!xt)
return -ENOMEM;
--
2.19.1
next prev parent reply other threads:[~2019-03-11 20:12 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 19:54 [PATCH AUTOSEL 4.20 01/52] drm/imx: ignore plane updates on disabled crtcs Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 02/52] gpu: ipu-v3: Fix i.MX51 CSI control registers offset Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 03/52] drm/imx: imx-ldb: add missing of_node_puts Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 04/52] gpu: ipu-v3: Fix CSI offsets for imx53 Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 05/52] ASoC: rt5682: Correct the setting while select ASRC clk for AD/DA filter Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 06/52] clocksource: timer-ti-dm: Fix pwm dmtimer usage of fck reparenting Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 07/52] KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 08/52] arm64: dts: rockchip: fix graph_port warning on rk3399 bob kevin and excavator Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 09/52] hwmon: (nct6775) Fix fan6 detection for NCT6793D Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 10/52] s390/dasd: fix using offset into zero size array error Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 11/52] Input: pwm-vibra - prevent unbalanced regulator Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 12/52] Input: pwm-vibra - stop regulator after disabling pwm, not before Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 13/52] ARM: dts: Configure clock parent for pwm vibra Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 14/52] ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 15/52] ASoC: topology: fix oops/use-after-free case with dai driver Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 16/52] ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 17/52] ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 18/52] KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 19/52] arm/arm64: KVM: Allow a VCPU to fully reset itself Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 20/52] arm/arm64: KVM: Don't panic on failure to properly reset system registers Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 21/52] KVM: arm/arm64: vgic: Always initialize the group of private IRQs Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 22/52] KVM: arm64: Forbid kprobing of the VHE world-switch code Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 23/52] ASoC: samsung: Prevent clk_get_rate() calls in atomic context Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 24/52] ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 25/52] Input: cap11xx - switch to using set_brightness_blocking() Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 26/52] Input: ps2-gpio - flush TX work when closing port Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 27/52] Input: matrix_keypad - use flush_delayed_work() Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 28/52] mac80211: call drv_ibss_join() on restart Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 29/52] cfg80211: prevent speculation on cfg80211_classify8021d() return Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 30/52] mac80211: Fix Tx aggregation session tear down with ITXQs Sasha Levin
2019-03-11 19:54 ` Sasha Levin [this message]
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 32/52] blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 33/52] ipvs: fix dependency on nf_defrag_ipv6 Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 34/52] floppy: check_events callback should not return a negative number Sasha Levin
2019-03-11 19:54 ` [PATCH AUTOSEL 4.20 35/52] xprtrdma: Make sure Send CQ is allocated on an existing compvec Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 36/52] NFS: Don't use page_file_mapping after removing the page Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 37/52] mm/gup: fix gup_pmd_range() for dax Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 38/52] Revert "mm: use early_pfn_to_nid in page_ext_init" Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 39/52] csky: Fixup _PAGE_GLOBAL bit for 610 tlb entry Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 40/52] csky: Fixup wrong pt_regs size Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 41/52] csky: Fixup io-range page attribute for mmap("/dev/mem") Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 42/52] csky: Fixup dead loop in show_stack Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 43/52] scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 44/52] net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 45/52] x86/CPU: Add Icelake model number Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 46/52] mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 47/52] net: hns: Fix object reference leaks in hns_dsaf_roce_reset() Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 48/52] i2c: cadence: Fix the hold bit setting Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 49/52] i2c: bcm2835: Clear current buffer pointers and counts after a transfer Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 50/52] auxdisplay: ht16k33: fix potential user-after-free on module unload Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 51/52] lib/crc32.c: mark crc32_le_base/__crc32c_le_base aliases as __pure Sasha Levin
2019-03-11 19:55 ` [PATCH AUTOSEL 4.20 52/52] Input: st-keyscan - fix potential zalloc NULL dereference Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190311195516.137772-31-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=fruggeri@arista.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox