From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>, Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 195/209] netfilter: nft_compat: do not dump private area
Date: Tue, 12 Nov 2019 20:50:11 -0500 [thread overview]
Message-ID: <20191113015025.9685-195-sashal@kernel.org> (raw)
In-Reply-To: <20191113015025.9685-1-sashal@kernel.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit d701d8117200399d85e63a737d2e4e897932f3b6 ]
Zero pad private area, otherwise we expose private kernel pointer to
userspace. This patch also zeroes the tail area after the ->matchsize
and ->targetsize that results from XT_ALIGN().
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_compat.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 1245e02239d90..469f9da5073bf 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -269,6 +269,24 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
kfree(expr->ops);
}
+static int nft_extension_dump_info(struct sk_buff *skb, int attr,
+ const void *info,
+ unsigned int size, unsigned int user_size)
+{
+ unsigned int info_size, aligned_size = XT_ALIGN(size);
+ struct nlattr *nla;
+
+ nla = nla_reserve(skb, attr, aligned_size);
+ if (!nla)
+ return -1;
+
+ info_size = user_size ? : size;
+ memcpy(nla_data(nla), info, info_size);
+ memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
+
+ return 0;
+}
+
static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
const struct xt_target *target = expr->ops->data;
@@ -276,7 +294,8 @@ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
- nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(target->targetsize), info))
+ nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
+ target->targetsize, target->usersize))
goto nla_put_failure;
return 0;
@@ -504,7 +523,8 @@ static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
- nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(match->matchsize), info))
+ nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
+ match->matchsize, match->usersize))
goto nla_put_failure;
return 0;
--
2.20.1
next prev parent reply other threads:[~2019-11-13 2:18 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 1:46 [PATCH AUTOSEL 4.19 001/209] net: ovs: fix return type of ndo_start_xmit function Sasha Levin
2019-11-13 1:46 ` [PATCH AUTOSEL 4.19 002/209] net: xen-netback: " Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 005/209] net: hns3: Fix for netdev not up problem when setting mtu Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 006/209] net: hns3: Fix loss of coal configuration while doing reset Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 010/209] tcp: up initial rmem to 128KB and SYN rwin to around 64KB Sasha Levin
[not found] ` <CAP12E-JHedm+OA9Zaf6PaZBuNw5ddmeMn4RMcSWFFNrH=MpOhA@mail.gmail.com>
2019-12-17 0:00 ` Vishwanath Pai
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 011/209] openvswitch: Use correct reply values in datapath and vport ops Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 012/209] SUNRPC: Fix priority queue fairness Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 018/209] mt76x2: fix tx power configuration for VHT mcs 9 Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 019/209] mt76x2: disable WLAN core before probe Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 020/209] mt76: fix handling ps-poll frames Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 025/209] ath10k: fix vdev-start timeout on error Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 026/209] rtlwifi: btcoex: Use proper enumerated types for Wi-Fi only interface Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 032/209] ath9k: fix reporting calculated new FFT upper max Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 033/209] selftests/tls: Fix recv(MSG_PEEK) & splice() test cases Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 036/209] nl80211: Fix a GET_KEY reply attribute Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 050/209] sunrpc: Fix connect metrics Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 053/209] cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update Sasha Levin
2019-11-13 1:47 ` [PATCH AUTOSEL 4.19 054/209] cxgb4: Use proper enum in IEEE_FAUX_SYNC Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 066/209] ice: Fix forward to queue group logic Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 068/209] ixgbe: Fix ixgbe TX hangs with XDP_TX beyond queue limit Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 069/209] i40e: Use proper enum in i40e_ndo_set_vf_link_state Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 070/209] ixgbe: Fix crash with VFs and flow director on interface flap Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 088/209] qed: Avoid implicit enum conversion in qed_ooo_submit_tx_buffers Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 094/209] bnxt_en: return proper error when FW returns HWRM_ERR_CODE_RESOURCE_ACCESS_DENIED Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 100/209] brcmfmac: reduce timeout for action frame scan Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 101/209] brcmfmac: fix full timeout waiting for action frame on-channel tx Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 102/209] qtnfmac: request userspace to do OBSS scanning if FW can not Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 103/209] qtnfmac: pass sgi rate info flag to wireless core Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 104/209] qtnfmac: inform wireless core about supported extended capabilities Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 105/209] qtnfmac: drop error reports for out-of-bounds key indexes Sasha Levin
2019-11-13 1:48 ` [PATCH AUTOSEL 4.19 123/209] net: hns3: Fix for rx vlan id handle to support Rev 0x21 hardware Sasha Levin
2019-11-13 1:49 ` [PATCH AUTOSEL 4.19 124/209] tc-testing: fix build of eBPF programs Sasha Levin
2019-11-13 1:49 ` [PATCH AUTOSEL 4.19 132/209] xfrm: use correct size to initialise sp->ovec Sasha Levin
2019-11-13 1:49 ` [PATCH AUTOSEL 4.19 134/209] iwlwifi: mvm: don't send keys when entering D3 Sasha Levin
2019-11-13 1:49 ` [PATCH AUTOSEL 4.19 135/209] xsk: proper AF_XDP socket teardown ordering Sasha Levin
2019-11-13 1:49 ` [PATCH AUTOSEL 4.19 177/209] bpf: btf: Fix a missing check bug Sasha Levin
2019-11-13 1:49 ` [PATCH AUTOSEL 4.19 178/209] net: fix generic XDP to handle if eth header was mangled Sasha Levin
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 193/209] selftests: forwarding: Have lldpad_app_wait_set() wait for unknown, too Sasha Levin
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 194/209] net: sched: avoid writing on noop_qdisc Sasha Levin
2019-11-13 1:50 ` Sasha Levin [this message]
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 197/209] mac80211: minstrel: fix using short preamble CCK rates on HT clients Sasha Levin
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 198/209] mac80211: minstrel: fix CCK rate group streams value Sasha Levin
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 199/209] mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode Sasha Levin
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 201/209] mlxsw: spectrum_switchdev: Check notification relevance based on upper device Sasha Levin
2019-11-13 1:50 ` [PATCH AUTOSEL 4.19 203/209] tcp: start receiver buffer autotuning sooner Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191113015025.9685-195-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).