From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Francesco Ruggeri <fruggeri@arista.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Zubin Mithra <zsm@chromium.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 01/51] netfilter: compat: initialize all fields in xt_init
Date: Wed, 15 May 2019 12:55:36 +0200 [thread overview]
Message-ID: <20190515090618.008520070@linuxfoundation.org> (raw)
In-Reply-To: <20190515090616.669619870@linuxfoundation.org>
commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f upstream
If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
time, the following panic can be caused by running
% ebtables -t broute -F BROUTING
from a 32-bit user level on a 64-bit kernel. This patch replaces
kmalloc_array with kcalloc when allocating xt.
[ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920
[ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
[ 474.693838] Oops: 0000 [#1] SMP
[ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
[ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
[ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
[ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
[ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
[ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
[ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
[ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
[ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
[ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
[ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
[ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
[ 474.802052] Call Trace:
[ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables]
[ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
[ 474.815605] ? try_module_get+0x37/0x42
[ 474.819716] compat_nf_setsockopt+0x4f/0x6d
[ 474.824172] compat_ip_setsockopt+0x7e/0x8c
[ 474.828641] compat_raw_setsockopt+0x16/0x3a
[ 474.833220] compat_sock_common_setsockopt+0x1d/0x24
[ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1
[ 474.843343] ? __check_object_size+0x76/0x19a
[ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b
[ 474.853276] do_fast_syscall_32+0xaf/0xf6
[ 474.857548] entry_SYSENTER_compat+0x6b/0x7a
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/x_tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 751fec729ffb0..e065140d0c93b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1728,7 +1728,7 @@ static int __init xt_init(void)
seqcount_init(&per_cpu(xt_recseq, i));
}
- xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
+ xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
if (!xt)
return -ENOMEM;
--
2.20.1
next prev parent reply other threads:[~2019-05-15 11:13 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 10:55 [PATCH 4.9 00/51] 4.9.177-stable review Greg Kroah-Hartman
2019-05-15 10:55 ` Greg Kroah-Hartman [this message]
2019-05-15 10:55 ` [PATCH 4.9 02/51] bpf: fix struct htab_elem layout Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 03/51] bpf: convert htab map to hlist_nulls Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 04/51] platform/x86: sony-laptop: Fix unintentional fall-through Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 05/51] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 06/51] iio: adc: xilinx: fix potential use-after-free on remove Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 07/51] libnvdimm/namespace: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 08/51] HID: input: add mapping for Expose/Overview key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 09/51] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 10/51] HID: input: add mapping for "Toggle Display" key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 11/51] libnvdimm/btt: Fix a kmemdup failure check Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 12/51] s390/dasd: Fix capacity calculation for large volumes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 13/51] mac80211: fix unaligned access in mesh table hash function Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 14/51] s390/3270: fix lockdep false positive on view->lock Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 15/51] mISDN: Check address length before reading address family Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 16/51] x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 17/51] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 18/51] tools lib traceevent: Fix missing equality check for strcmp Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 19/51] init: initialize jump labels before command line option parsing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 20/51] selftests: netfilter: check icmp pkttoobig errors are set as related Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 21/51] ipvs: do not schedule icmp errors from tunnels Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 22/51] MIPS: perf: ath79: Fix perfcount IRQ assignment Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 23/51] s390: ctcm: fix ctcm_new_device error return code Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 4.9 24/51] drm/sun4i: Set device driver data at bind time for use in unbind Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 25/51] selftests/net: correct the return value for run_netsocktests Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 26/51] gpu: ipu-v3: dp: fix CSC handling Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 27/51] spi: Micrel eth switch: declare missing of table Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 28/51] spi: ST ST95HF NFC: " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 29/51] Input: synaptics-rmi4 - fix possible double free Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 30/51] cw1200: fix missing unlock on error in cw1200_hw_scan() Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 31/51] ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 32/51] rtlwifi: rtl8723ae: Fix missing break in switch statement Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 33/51] Dont jump to compute_result state from check_result state Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 34/51] Revert "x86/vdso: Drop implicit common-page-size linker flag" Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 35/51] Revert "x86: vdso: Use $LD instead of $CC to link" Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 36/51] x86: vdso: Use $LD instead of $CC to link Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 37/51] x86/vdso: Drop implicit common-page-size linker flag Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 38/51] x86/vdso: Pass --eh-frame-hdr to the linker Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 39/51] powerpc/64s: Include cpu header Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 40/51] bridge: Fix error path for kobject_init_and_add() Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 41/51] fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied Greg Kroah-Hartman
2019-05-19 15:43 ` Nathan Chancellor
2019-05-19 20:27 ` Florian Westphal
2019-05-20 2:00 ` Hangbin Liu
2019-05-20 0:11 ` Sasha Levin
2019-05-20 0:29 ` David Ahern
2019-05-20 9:04 ` Greg Kroah-Hartman
2019-05-20 9:11 ` Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 42/51] net: ucc_geth - fix Oops when changing number of buffers in the ring Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 43/51] packet: Fix error path in packet_init Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 44/51] vlan: disable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 45/51] vrf: sit mtu should not be updated when vrf netdev is the link Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 46/51] ipv4: Fix raw socket lookup for local traffic Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 47/51] bonding: fix arp_validate toggling in active-backup mode Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 48/51] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 49/51] drivers/virt/fsl_hypervisor.c: prevent integer overflow " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 50/51] powerpc/lib: fix book3s/32 boot failure due to code patching Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 4.9 51/51] powerpc/booke64: set RI in default MSR Greg Kroah-Hartman
2019-05-15 18:27 ` [PATCH 4.9 00/51] 4.9.177-stable review kernelci.org bot
2019-05-15 19:54 ` Naresh Kamboju
2019-05-16 3:34 ` Guenter Roeck
2019-05-16 11:00 ` Jon Hunter
2019-05-16 14:09 ` shuah
2019-05-17 6:33 ` Kelsey Skunberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515090618.008520070@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fruggeri@arista.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).