From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:47138 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754440AbdHYAtz (ORCPT ); Thu, 24 Aug 2017 20:49:55 -0400 Subject: Patch "net: sched: fix NULL pointer dereference when action calls some targets" has been added to the 4.4-stable tree To: lucien.xin@gmail.com, davem@davemloft.net, gregkh@linuxfoundation.org, pablo@netfilter.org Cc: , From: Date: Thu, 24 Aug 2017 17:49:47 -0700 Message-ID: <150362218767130@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled net: sched: fix NULL pointer dereference when action calls some targets to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-sched-fix-null-pointer-dereference-when-action-calls-some-targets.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Thu Aug 24 17:48:38 PDT 2017 From: Xin Long Date: Fri, 18 Aug 2017 11:01:36 +0800 Subject: net: sched: fix NULL pointer dereference when action calls some targets From: Xin Long [ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ] As we know in some target's checkentry it may dereference par.entryinfo to check entry stuff inside. But when sched action calls xt_check_target, par.entryinfo is set with NULL. It would cause kernel panic when calling some targets. It can be reproduce with: # tc qd add dev eth1 ingress handle ffff: # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \ -j ECN --ecn-tcp-remove It could also crash kernel when using target CLUSTERIP or TPROXY. By now there's no proper value for par.entryinfo in ipt_init_target, but it can not be set with NULL. This patch is to void all these panics by setting it with an ipt_entry obj with all members = 0. Note that this issue has been there since the very beginning. Signed-off-by: Xin Long Acked-by: Pablo Neira Ayuso Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/act_ipt.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c @@ -34,6 +34,7 @@ static int ipt_init_target(struct xt_ent { struct xt_tgchk_param par; struct xt_target *target; + struct ipt_entry e = {}; int ret = 0; target = xt_request_find_target(AF_INET, t->u.user.name, @@ -44,6 +45,7 @@ static int ipt_init_target(struct xt_ent t->u.kernel.target = target; memset(&par, 0, sizeof(par)); par.table = table; + par.entryinfo = &e; par.target = target; par.targinfo = t->data; par.hook_mask = hook; Patches currently in stable-queue which might be from lucien.xin@gmail.com are queue-4.4/net-sched-fix-null-pointer-dereference-when-action-calls-some-targets.patch queue-4.4/sctp-fully-initialize-the-ipv6-address-in-sctp_v6_to_addr.patch