From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: * X-Spam-Status: No, score=1.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FSL_HELO_FAKE,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C91EC43381 for ; Tue, 12 Mar 2019 20:04:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 51C4620449 for ; Tue, 12 Mar 2019 20:04:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="PsBXtTEI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726640AbfCLUEV (ORCPT ); Tue, 12 Mar 2019 16:04:21 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:36881 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726585AbfCLUEU (ORCPT ); Tue, 12 Mar 2019 16:04:20 -0400 Received: by mail-pf1-f193.google.com with SMTP id s22so2609481pfh.4 for ; Tue, 12 Mar 2019 13:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=CveesgN7dMYbxhAVZJjFK0f7QuVeYY5G/7AJ6ZJh4tE=; b=PsBXtTEIPLQx5HSMP6r4iQOfKDZyJjQMIKl1vFEKPDVIxOUWl6daFm1qo3JhGRg1eG 67hbfbE2QMy2gd5jl6tgOcpyiCwsw8TCmGg/hJaw/Cm6VAPgg79mUGR6oV+nPJe3VT6q ReLANfHiLH6bPPBf2L5nr1Phm1fUkkBYwoafQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=CveesgN7dMYbxhAVZJjFK0f7QuVeYY5G/7AJ6ZJh4tE=; b=t43dEYkW9Ix0ZyXeEc0rzul2ZguZ3KdksPUKxZnGl+2YupopWPln02Yq4lcinGIl4l mktmB6pISluEANB5FCOr77usixSipVJftTTVb3wVtM0Sebn0P332D3DbNBG4LTLAq0QJ iY4IwvduNzxxgP4q+Zp3AUweUuZxqsuJuE7/kVcGxHPPgjqIAoyrvd7hxOEIgYyJHwdX +s+mFO/Sj/nvRKGJkwa35UHMv1WH2YNeSAr8q+BkPsiOrfquj8ikt7yXh/hhX4bNIhYg VOQTfGF42mwOBY8UvHlnMzPxLDo+MJFB1C/pu2Faca2gDN3kH3D5EebCznU8aLJDeBcP Ipfg== X-Gm-Message-State: APjAAAXcd7dq1ckgCUEKYIpUJkc9QcxvfydHyW7etOa6+PsKuyfo6Nl/ 01E/Lh1/WDasdaQGZ/juoqrR8mdI1Zg= X-Google-Smtp-Source: APXvYqzRrSx7SwCx5a/Sv1IEktdGhMPfFNpzM0aZGhCjRrtiP0TuWeC/quTGlRFS70IjJd+z5bhGHw== X-Received: by 2002:a62:6d81:: with SMTP id i123mr40076785pfc.235.1552421059239; Tue, 12 Mar 2019 13:04:19 -0700 (PDT) Received: from google.com ([2620:15c:202:201:49ea:b78f:4f04:4d25]) by smtp.googlemail.com with ESMTPSA id p2sm21913891pfi.95.2019.03.12.13.04.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Mar 2019 13:04:18 -0700 (PDT) Date: Tue, 12 Mar 2019 13:04:15 -0700 From: Zubin Mithra To: stable@vger.kernel.org Cc: groeck@chromium.org, gregkh@linuxfoundation.org, phil.turnbull@oracle.com, pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net Subject: 017b1b6d28c4 ("netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters") Message-ID: <20190312200413.GA128459@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Hello, Syzkaller has triggered a GPF when fuzzing a 4.4 kernel with the following stacktrace. Call Trace: [] nfnetlink_rcv_msg+0xa59/0xbc0 net/netfilter/nfnetlink.c:215 [] netlink_rcv_skb+0x149/0x380 net/netlink/af_netlink.c:2296 [] nfnetlink_rcv+0x2ac/0x1190 net/netfilter/nfnetlink.c:479 [] netlink_unicast_kernel net/netlink/af_netlink.c:1223 [inline] [] netlink_unicast+0x51e/0x760 net/netlink/af_netlink.c:1249 [] netlink_sendmsg+0x8c5/0xc20 net/netlink/af_netlink.c:1803 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcf/0x110 net/socket.c:635 [] sock_write_iter+0x222/0x3a0 net/socket.c:834 [] new_sync_write fs/read_write.c:478 [inline] [] __vfs_write+0x32e/0x440 fs/read_write.c:491 [] vfs_write+0x16c/0x4a0 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x12/0x72 Code: c0 49 89 c4 0f 84 64 04 00 00 e8 ea b7 f6 fe 49 8b 95 68 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d 7a 04 48 89 f9 48 c1 e9 03 <0f> b6 0c 01 48 89 f8 83 e0 07 83 c0 03 38 c8 7c 17 84 c9 74 13 RIP [] nla_get_be32 include/net/netlink.h:1003 [inline] RIP [] nfacct_filter_alloc net/netfilter/nfnetlink_acct.c:250 [inline] RIP [] nfnl_acct_get+0x1f2/0x6d0 net/netfilter/nfnetlink_acct.c:274 RSP ---[ end trace a8de975a65b4d2ea ]--- Could the following patch be applied to v4.4.y? The patch is present in v4.9.y. * 017b1b6d28c4 ("netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters") Tests run: * Chrome OS tryjobs * Syzkaller reproducer Thanks, - Zubin