From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Dmitry Vyukov , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH AUTOSEL for 4.14 091/161] netfilter: x_tables: fix pointer leaks to userspace Date: Mon, 9 Apr 2018 00:21:02 +0000 Message-ID: <20180409001936.162706-91-alexander.levin@microsoft.com> References: <20180409001936.162706-1-alexander.levin@microsoft.com> In-Reply-To: <20180409001936.162706-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: From: Dmitry Vyukov [ Upstream commit 1e98ffea5a8935ec040ab72299e349cb44b8defd ] Several netfilter matches and targets put kernel pointers into info objects, but don't set usersize in descriptors. This leads to kernel pointer leaks if a match/target is set and then read back to userspace. Properly set usersize for these matches/targets. Found with manual code inspection. Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") Signed-off-by: Dmitry Vyukov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/xt_IDLETIMER.c | 1 + net/netfilter/xt_LED.c | 1 + net/netfilter/xt_limit.c | 3 +-- net/netfilter/xt_nfacct.c | 1 + net/netfilter/xt_statistic.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c index bb5d6a058fb7..1141f08810b6 100644 --- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -256,6 +256,7 @@ static struct xt_target idletimer_tg __read_mostly =3D = { .family =3D NFPROTO_UNSPEC, .target =3D idletimer_tg_target, .targetsize =3D sizeof(struct idletimer_tg_info), + .usersize =3D offsetof(struct idletimer_tg_info, timer), .checkentry =3D idletimer_tg_checkentry, .destroy =3D idletimer_tg_destroy, .me =3D THIS_MODULE, diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c index 0858fe17e14a..2d1c5c169a26 100644 --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c @@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __read_mostly =3D { .family =3D NFPROTO_UNSPEC, .target =3D led_tg, .targetsize =3D sizeof(struct xt_led_info), + .usersize =3D offsetof(struct xt_led_info, internal_data), .checkentry =3D led_tg_check, .destroy =3D led_tg_destroy, .me =3D THIS_MODULE, diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index d27b5f1ea619..61403b77361c 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c @@ -193,9 +193,8 @@ static struct xt_match limit_mt_reg __read_mostly =3D { .compatsize =3D sizeof(struct compat_xt_rateinfo), .compat_from_user =3D limit_mt_compat_from_user, .compat_to_user =3D limit_mt_compat_to_user, -#else - .usersize =3D offsetof(struct xt_rateinfo, prev), #endif + .usersize =3D offsetof(struct xt_rateinfo, prev), .me =3D THIS_MODULE, }; =20 diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c index cc0518fe598e..6f92d25590a8 100644 --- a/net/netfilter/xt_nfacct.c +++ b/net/netfilter/xt_nfacct.c @@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly =3D { .match =3D nfacct_mt, .destroy =3D nfacct_mt_destroy, .matchsize =3D sizeof(struct xt_nfacct_match_info), + .usersize =3D offsetof(struct xt_nfacct_match_info, nfacct), .me =3D THIS_MODULE, }; =20 diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index 11de55e7a868..8710fdba2ae2 100644 --- a/net/netfilter/xt_statistic.c +++ b/net/netfilter/xt_statistic.c @@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_reg __read_mostly = =3D { .checkentry =3D statistic_mt_check, .destroy =3D statistic_mt_destroy, .matchsize =3D sizeof(struct xt_statistic_info), + .usersize =3D offsetof(struct xt_statistic_info, master), .me =3D THIS_MODULE, }; =20 --=20 2.15.1