From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-sn1nam02on0102.outbound.protection.outlook.com ([104.47.36.102]:30848 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754038AbeDIAT1 (ORCPT ); Sun, 8 Apr 2018 20:19:27 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Dmitry Vyukov , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH AUTOSEL for 4.15 111/189] netfilter: x_tables: fix pointer leaks to userspace Date: Mon, 9 Apr 2018 00:18:13 +0000 Message-ID: <20180409001637.162453-111-alexander.levin@microsoft.com> References: <20180409001637.162453-1-alexander.levin@microsoft.com> In-Reply-To: <20180409001637.162453-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Dmitry Vyukov [ Upstream commit 1e98ffea5a8935ec040ab72299e349cb44b8defd ] Several netfilter matches and targets put kernel pointers into info objects, but don't set usersize in descriptors. This leads to kernel pointer leaks if a match/target is set and then read back to userspace. Properly set usersize for these matches/targets. Found with manual code inspection. Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") Signed-off-by: Dmitry Vyukov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/xt_IDLETIMER.c | 1 + net/netfilter/xt_LED.c | 1 + net/netfilter/xt_limit.c | 3 +-- net/netfilter/xt_nfacct.c | 1 + net/netfilter/xt_statistic.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c index 18b7412ab99a..1ac6600bfafd 100644 --- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -255,6 +255,7 @@ static struct xt_target idletimer_tg __read_mostly =3D = { .family =3D NFPROTO_UNSPEC, .target =3D idletimer_tg_target, .targetsize =3D sizeof(struct idletimer_tg_info), + .usersize =3D offsetof(struct idletimer_tg_info, timer), .checkentry =3D idletimer_tg_checkentry, .destroy =3D idletimer_tg_destroy, .me =3D THIS_MODULE, diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c index 18d3af5e1098..0fb2133165aa 100644 --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c @@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __read_mostly =3D { .family =3D NFPROTO_UNSPEC, .target =3D led_tg, .targetsize =3D sizeof(struct xt_led_info), + .usersize =3D offsetof(struct xt_led_info, internal_data), .checkentry =3D led_tg_check, .destroy =3D led_tg_destroy, .me =3D THIS_MODULE, diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index d27b5f1ea619..61403b77361c 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c @@ -193,9 +193,8 @@ static struct xt_match limit_mt_reg __read_mostly =3D { .compatsize =3D sizeof(struct compat_xt_rateinfo), .compat_from_user =3D limit_mt_compat_from_user, .compat_to_user =3D limit_mt_compat_to_user, -#else - .usersize =3D offsetof(struct xt_rateinfo, prev), #endif + .usersize =3D offsetof(struct xt_rateinfo, prev), .me =3D THIS_MODULE, }; =20 diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c index cc0518fe598e..6f92d25590a8 100644 --- a/net/netfilter/xt_nfacct.c +++ b/net/netfilter/xt_nfacct.c @@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly =3D { .match =3D nfacct_mt, .destroy =3D nfacct_mt_destroy, .matchsize =3D sizeof(struct xt_nfacct_match_info), + .usersize =3D offsetof(struct xt_nfacct_match_info, nfacct), .me =3D THIS_MODULE, }; =20 diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index 11de55e7a868..8710fdba2ae2 100644 --- a/net/netfilter/xt_statistic.c +++ b/net/netfilter/xt_statistic.c @@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_reg __read_mostly = =3D { .checkentry =3D statistic_mt_check, .destroy =3D statistic_mt_destroy, .matchsize =3D sizeof(struct xt_statistic_info), + .usersize =3D offsetof(struct xt_statistic_info, master), .me =3D THIS_MODULE, }; =20 --=20 2.15.1