Patch "nf_conntrack: avoid kernel pointer value leak in slab name" has been added to the 4.5-stable tree

Patch "nf_conntrack: avoid kernel pointer value leak in slab name" has been added to the 4.5-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    nf_conntrack: avoid kernel pointer value leak in slab name

to the 4.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch
and it can be found in the queue-4.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 31b0b385f69d8d5491a4bca288e25e63f1d945d0 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat, 14 May 2016 11:11:44 -0700
Subject: nf_conntrack: avoid kernel pointer value leak in slab name

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 31b0b385f69d8d5491a4bca288e25e63f1d945d0 upstream.

The slab name ends up being visible in the directory structure under
/sys, and even if you don't have access rights to the file you can see
the filenames.

Just use a 64-bit counter instead of the pointer to the 'net' structure
to generate a unique name.

This code will go away in 4.7 when the conntrack code moves to a single
kmemcache, but this is the backportable simple solution to avoiding
leaking kernel pointers to user space.

Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_conntrack_core.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void)
 
 int nf_conntrack_init_net(struct net *net)
 {
+	static atomic64_t unique_id;
 	int ret = -ENOMEM;
 	int cpu;
 
@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne
 	if (!net->ct.stat)
 		goto err_pcpu_lists;
 
-	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
+	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
+				(u64)atomic64_inc_return(&unique_id));
 	if (!net->ct.slabname)
 		goto err_slabname;
 


Patches currently in stable-queue which might be from torvalds@linux-foundation.org are

queue-4.5/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch
queue-4.5/ocfs2-fix-posix_acl_create-deadlock.patch
queue-4.5/ocfs2-revert-using-ocfs2_acl_chmod-to-avoid-inode-cluster-lock-hang.patch
queue-4.5/mm-thp-calculate-the-mapcount-correctly-for-thp-pages-during-wp-faults.patch
queue-4.5/perf-core-disable-the-event-on-a-truncated-aux-record.patch
queue-4.5/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
queue-4.5/perf-diff-fix-duplicated-output-column.patch
queue-4.5/zsmalloc-fix-zs_can_compact-integer-overflow.patch