From: Luis Henriques <luis.henriques@canonical.com>
To: gregkh@linuxfoundation.org
Cc: fw@strlen.de, pablo@netfilter.org, stable@vger.kernel.org,
stable-commits@vger.kernel.org
Subject: Re: Patch "netfilter: x_tables: introduce and use xt_copy_counters_from_user" has been added to the 4.4-stable tree
Date: Thu, 23 Jun 2016 19:18:57 +0100 [thread overview]
Message-ID: <20160623181857.GA32482@ares> (raw)
In-Reply-To: <14666572377056@kroah.com>
On Wed, Jun 22, 2016 at 09:47:17PM -0700, Greg Kroah-Hartman wrote:
>
> This is a note to let you know that I've just added the patch titled
>
> netfilter: x_tables: introduce and use xt_copy_counters_from_user
>
> to the 4.4-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
> netfilter-x_tables-introduce-and-use-xt_copy_counters_from_user.patch
> and it can be found in the queue-4.4 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
>
This patch is not queued for the 3.14 kernel; was this on purpose, or is
there a good reason for that? It looks like it's a clean cherry-pick.
Cheers,
--
Lu�s
>
> From d7591f0c41ce3e67600a982bab6989ef0f07b3ce Mon Sep 17 00:00:00 2001
> From: Florian Westphal <fw@strlen.de>
> Date: Fri, 1 Apr 2016 15:37:59 +0200
> Subject: netfilter: x_tables: introduce and use xt_copy_counters_from_user
>
> From: Florian Westphal <fw@strlen.de>
>
> commit d7591f0c41ce3e67600a982bab6989ef0f07b3ce upstream.
>
> The three variants use same copy&pasted code, condense this into a
> helper and use that.
>
> Make sure info.name is 0-terminated.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
> include/linux/netfilter/x_tables.h | 3 +
> net/ipv4/netfilter/arp_tables.c | 48 ++----------------------
> net/ipv4/netfilter/ip_tables.c | 48 ++----------------------
> net/ipv6/netfilter/ip6_tables.c | 49 ++----------------------
> net/netfilter/x_tables.c | 74 +++++++++++++++++++++++++++++++++++++
> 5 files changed, 92 insertions(+), 130 deletions(-)
>
> --- a/include/linux/netfilter/x_tables.h
> +++ b/include/linux/netfilter/x_tables.h
> @@ -248,6 +248,9 @@ int xt_check_match(struct xt_mtchk_param
> int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
> bool inv_proto);
>
> +void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
> + struct xt_counters_info *info, bool compat);
> +
> struct xt_table *xt_register_table(struct net *net,
> const struct xt_table *table,
> struct xt_table_info *bootstrap,
> --- a/net/ipv4/netfilter/arp_tables.c
> +++ b/net/ipv4/netfilter/arp_tables.c
> @@ -1130,55 +1130,17 @@ static int do_add_counters(struct net *n
> unsigned int i;
> struct xt_counters_info tmp;
> struct xt_counters *paddc;
> - unsigned int num_counters;
> - const char *name;
> - int size;
> - void *ptmp;
> struct xt_table *t;
> const struct xt_table_info *private;
> int ret = 0;
> struct arpt_entry *iter;
> unsigned int addend;
> -#ifdef CONFIG_COMPAT
> - struct compat_xt_counters_info compat_tmp;
>
> - if (compat) {
> - ptmp = &compat_tmp;
> - size = sizeof(struct compat_xt_counters_info);
> - } else
> -#endif
> - {
> - ptmp = &tmp;
> - size = sizeof(struct xt_counters_info);
> - }
> -
> - if (copy_from_user(ptmp, user, size) != 0)
> - return -EFAULT;
> -
> -#ifdef CONFIG_COMPAT
> - if (compat) {
> - num_counters = compat_tmp.num_counters;
> - name = compat_tmp.name;
> - } else
> -#endif
> - {
> - num_counters = tmp.num_counters;
> - name = tmp.name;
> - }
> -
> - if (len != size + num_counters * sizeof(struct xt_counters))
> - return -EINVAL;
> -
> - paddc = vmalloc(len - size);
> - if (!paddc)
> - return -ENOMEM;
> -
> - if (copy_from_user(paddc, user + size, len - size) != 0) {
> - ret = -EFAULT;
> - goto free;
> - }
> + paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
> + if (IS_ERR(paddc))
> + return PTR_ERR(paddc);
>
> - t = xt_find_table_lock(net, NFPROTO_ARP, name);
> + t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name);
> if (IS_ERR_OR_NULL(t)) {
> ret = t ? PTR_ERR(t) : -ENOENT;
> goto free;
> @@ -1186,7 +1148,7 @@ static int do_add_counters(struct net *n
>
> local_bh_disable();
> private = t->private;
> - if (private->number != num_counters) {
> + if (private->number != tmp.num_counters) {
> ret = -EINVAL;
> goto unlock_up_free;
> }
> --- a/net/ipv4/netfilter/ip_tables.c
> +++ b/net/ipv4/netfilter/ip_tables.c
> @@ -1313,55 +1313,17 @@ do_add_counters(struct net *net, const v
> unsigned int i;
> struct xt_counters_info tmp;
> struct xt_counters *paddc;
> - unsigned int num_counters;
> - const char *name;
> - int size;
> - void *ptmp;
> struct xt_table *t;
> const struct xt_table_info *private;
> int ret = 0;
> struct ipt_entry *iter;
> unsigned int addend;
> -#ifdef CONFIG_COMPAT
> - struct compat_xt_counters_info compat_tmp;
>
> - if (compat) {
> - ptmp = &compat_tmp;
> - size = sizeof(struct compat_xt_counters_info);
> - } else
> -#endif
> - {
> - ptmp = &tmp;
> - size = sizeof(struct xt_counters_info);
> - }
> -
> - if (copy_from_user(ptmp, user, size) != 0)
> - return -EFAULT;
> -
> -#ifdef CONFIG_COMPAT
> - if (compat) {
> - num_counters = compat_tmp.num_counters;
> - name = compat_tmp.name;
> - } else
> -#endif
> - {
> - num_counters = tmp.num_counters;
> - name = tmp.name;
> - }
> -
> - if (len != size + num_counters * sizeof(struct xt_counters))
> - return -EINVAL;
> -
> - paddc = vmalloc(len - size);
> - if (!paddc)
> - return -ENOMEM;
> -
> - if (copy_from_user(paddc, user + size, len - size) != 0) {
> - ret = -EFAULT;
> - goto free;
> - }
> + paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
> + if (IS_ERR(paddc))
> + return PTR_ERR(paddc);
>
> - t = xt_find_table_lock(net, AF_INET, name);
> + t = xt_find_table_lock(net, AF_INET, tmp.name);
> if (IS_ERR_OR_NULL(t)) {
> ret = t ? PTR_ERR(t) : -ENOENT;
> goto free;
> @@ -1369,7 +1331,7 @@ do_add_counters(struct net *net, const v
>
> local_bh_disable();
> private = t->private;
> - if (private->number != num_counters) {
> + if (private->number != tmp.num_counters) {
> ret = -EINVAL;
> goto unlock_up_free;
> }
> --- a/net/ipv6/netfilter/ip6_tables.c
> +++ b/net/ipv6/netfilter/ip6_tables.c
> @@ -1325,55 +1325,16 @@ do_add_counters(struct net *net, const v
> unsigned int i;
> struct xt_counters_info tmp;
> struct xt_counters *paddc;
> - unsigned int num_counters;
> - char *name;
> - int size;
> - void *ptmp;
> struct xt_table *t;
> const struct xt_table_info *private;
> int ret = 0;
> struct ip6t_entry *iter;
> unsigned int addend;
> -#ifdef CONFIG_COMPAT
> - struct compat_xt_counters_info compat_tmp;
>
> - if (compat) {
> - ptmp = &compat_tmp;
> - size = sizeof(struct compat_xt_counters_info);
> - } else
> -#endif
> - {
> - ptmp = &tmp;
> - size = sizeof(struct xt_counters_info);
> - }
> -
> - if (copy_from_user(ptmp, user, size) != 0)
> - return -EFAULT;
> -
> -#ifdef CONFIG_COMPAT
> - if (compat) {
> - num_counters = compat_tmp.num_counters;
> - name = compat_tmp.name;
> - } else
> -#endif
> - {
> - num_counters = tmp.num_counters;
> - name = tmp.name;
> - }
> -
> - if (len != size + num_counters * sizeof(struct xt_counters))
> - return -EINVAL;
> -
> - paddc = vmalloc(len - size);
> - if (!paddc)
> - return -ENOMEM;
> -
> - if (copy_from_user(paddc, user + size, len - size) != 0) {
> - ret = -EFAULT;
> - goto free;
> - }
> -
> - t = xt_find_table_lock(net, AF_INET6, name);
> + paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
> + if (IS_ERR(paddc))
> + return PTR_ERR(paddc);
> + t = xt_find_table_lock(net, AF_INET6, tmp.name);
> if (IS_ERR_OR_NULL(t)) {
> ret = t ? PTR_ERR(t) : -ENOENT;
> goto free;
> @@ -1381,7 +1342,7 @@ do_add_counters(struct net *net, const v
>
> local_bh_disable();
> private = t->private;
> - if (private->number != num_counters) {
> + if (private->number != tmp.num_counters) {
> ret = -EINVAL;
> goto unlock_up_free;
> }
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -751,6 +751,80 @@ int xt_check_target(struct xt_tgchk_para
> }
> EXPORT_SYMBOL_GPL(xt_check_target);
>
> +/**
> + * xt_copy_counters_from_user - copy counters and metadata from userspace
> + *
> + * @user: src pointer to userspace memory
> + * @len: alleged size of userspace memory
> + * @info: where to store the xt_counters_info metadata
> + * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
> + *
> + * Copies counter meta data from @user and stores it in @info.
> + *
> + * vmallocs memory to hold the counters, then copies the counter data
> + * from @user to the new memory and returns a pointer to it.
> + *
> + * If @compat is true, @info gets converted automatically to the 64bit
> + * representation.
> + *
> + * The metadata associated with the counters is stored in @info.
> + *
> + * Return: returns pointer that caller has to test via IS_ERR().
> + * If IS_ERR is false, caller has to vfree the pointer.
> + */
> +void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
> + struct xt_counters_info *info, bool compat)
> +{
> + void *mem;
> + u64 size;
> +
> +#ifdef CONFIG_COMPAT
> + if (compat) {
> + /* structures only differ in size due to alignment */
> + struct compat_xt_counters_info compat_tmp;
> +
> + if (len <= sizeof(compat_tmp))
> + return ERR_PTR(-EINVAL);
> +
> + len -= sizeof(compat_tmp);
> + if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
> + return ERR_PTR(-EFAULT);
> +
> + strlcpy(info->name, compat_tmp.name, sizeof(info->name));
> + info->num_counters = compat_tmp.num_counters;
> + user += sizeof(compat_tmp);
> + } else
> +#endif
> + {
> + if (len <= sizeof(*info))
> + return ERR_PTR(-EINVAL);
> +
> + len -= sizeof(*info);
> + if (copy_from_user(info, user, sizeof(*info)) != 0)
> + return ERR_PTR(-EFAULT);
> +
> + info->name[sizeof(info->name) - 1] = '\0';
> + user += sizeof(*info);
> + }
> +
> + size = sizeof(struct xt_counters);
> + size *= info->num_counters;
> +
> + if (size != (u64)len)
> + return ERR_PTR(-EINVAL);
> +
> + mem = vmalloc(len);
> + if (!mem)
> + return ERR_PTR(-ENOMEM);
> +
> + if (copy_from_user(mem, user, len) == 0)
> + return mem;
> +
> + vfree(mem);
> + return ERR_PTR(-EFAULT);
> +}
> +EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
> +
> #ifdef CONFIG_COMPAT
> int xt_compat_target_offset(const struct xt_target *target)
> {
>
>
> Patches currently in stable-queue which might be from fw@strlen.de are
>
> queue-4.4/netfilter-x_tables-validate-targets-of-jumps.patch
> queue-4.4/netfilter-x_tables-introduce-and-use-xt_copy_counters_from_user.patch
> queue-4.4/netfilter-arp_tables-simplify-translate_compat_table-args.patch
> queue-4.4/netfilter-x_tables-validate-e-target_offset-early.patch
> queue-4.4/netfilter-x_tables-assert-minimum-target-size.patch
> queue-4.4/netfilter-ip6_tables-simplify-translate_compat_table-args.patch
> queue-4.4/netfilter-x_tables-check-for-bogus-target-offset.patch
> queue-4.4/netfilter-x_tables-add-compat-version-of-xt_check_entry_offsets.patch
> queue-4.4/netfilter-x_tables-don-t-reject-valid-target-size-on-some-architectures.patch
> queue-4.4/netfilter-x_tables-check-standard-target-size-too.patch
> queue-4.4/netfilter-x_tables-xt_compat_match_from_user-doesn-t-need-a-retval.patch
> queue-4.4/netfilter-x_tables-do-compat-validation-via-translate_table.patch
> queue-4.4/netfilter-x_tables-add-and-use-xt_check_entry_offsets.patch
> queue-4.4/netfilter-x_tables-don-t-move-to-non-existent-next-rule.patch
> queue-4.4/netfilter-x_tables-kill-check_entry-helper.patch
> queue-4.4/netfilter-x_tables-validate-all-offsets-and-sizes-in-a-rule.patch
> queue-4.4/netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob-size.patch
> queue-4.4/netfilter-ip_tables-simplify-translate_compat_table-args.patch
> queue-4.4/netfilter-x_tables-fix-unconditional-helper.patch
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-06-23 18:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-23 4:47 Patch "netfilter: x_tables: introduce and use xt_copy_counters_from_user" has been added to the 4.4-stable tree gregkh
2016-06-23 18:18 ` Luis Henriques [this message]
2016-06-24 2:49 ` Greg KH
2016-06-24 10:54 ` Luis Henriques
2016-06-24 15:41 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160623181857.GA32482@ares \
--to=luis.henriques@canonical.com \
--cc=fw@strlen.de \
--cc=gregkh@linuxfoundation.org \
--cc=pablo@netfilter.org \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).