iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Taehee Yoo b8d8cde449 netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() 
commit 360cc79d9d299ce297b205508276285ceffc5fa8 upstream.

The table field in nft_obj_filter is not an array. In order to check
tablename, we should check if the pointer is set.

Test commands:

   %nft add table ip filter
   %nft add counter ip filter ct1
   %nft reset counters

Splat looks like:

[  306.510504] kasan: CONFIG_KASAN_INLINE enabled
[  306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables
[  306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17
[  306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
[  306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables]
[  306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246
[  306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000
[  306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a
[  306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b
[  306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108
[  306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860
[  306.528284] FS:  00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
[  306.528284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0
[  306.528284] Call Trace:
[  306.528284]  netlink_dump+0x470/0xa20
[  306.528284]  __netlink_dump_start+0x5ae/0x690
[  306.528284]  ? nf_tables_getobj+0x1b3/0x740 [nf_tables]
[  306.528284]  nf_tables_getobj+0x2f5/0x740 [nf_tables]
[  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
[  306.528284]  ? nf_tables_getobj+0x740/0x740 [nf_tables]
[  306.528284]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
[  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
[  306.528284]  nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink]
[  306.528284]  ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink]
[  306.528284]  netlink_rcv_skb+0x1c9/0x2f0
[  306.528284]  ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
[  306.528284]  ? debug_check_no_locks_freed+0x270/0x270
[  306.528284]  ? netlink_ack+0x7a0/0x7a0
[  306.528284]  ? ns_capable_common+0x6e/0x110
[ ... ]

Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-07-08 15:30:49 +02:00
..
6lowpan
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
9p
9p/trans_virtio: discard zero-length reply
2018-02-22 15:42:30 +01:00
802
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
8021q
vlan: Fix out of order vlan headers with reorder header off
2018-05-30 07:52:16 +02:00
appletalk
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atm
net: atm: Fix potential Spectre v1
2018-05-16 10:10:29 +02:00
ax25
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
batman-adv
batman-adv: fix packet loss for broadcasted DHCP packets to a server
2018-05-30 07:52:19 +02:00
bluetooth
Bluetooth: Fix connection if directed advertising and privacy is used
2018-04-19 08:56:19 +02:00
bpf
bpf: Align packet data properly in program testing framework.
2017-05-02 11:46:28 -04:00
bridge
netfilter: ebtables: fix erroneous reject of last rule
2018-05-30 07:52:14 +02:00
caif
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
can
can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
2018-01-23 19:58:17 +01:00
ceph
libceph, ceph: avoid memory leak when specifying same option several times
2018-05-30 07:52:04 +02:00
core
rtnetlink: validate attributes in do_setlink()
2018-06-11 22:49:22 +02:00
dcb
rtnetlink: make rtnl_register accept a flags parameter
2017-08-09 16:57:38 -07:00
dccp
dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()
2018-06-11 22:49:18 +02:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:07:52 +01:00
dns_resolver
KEYS: DNS: limit the length of option strings
2018-04-29 11:33:10 +02:00
dsa
net: dsa: add error handling for pskb_trim_rcsum
2018-06-26 08:06:28 +08:00
ethernet
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
hsr
net/hsr: Check skb_put_padto() return value
2017-08-22 13:40:23 -07:00
ieee802154
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
2018-03-31 18:10:40 +02:00
ife
net: sched: ife: check on metadata length
2018-04-29 11:33:13 +02:00
ipv4
udp: fix rx queue len reported by diag and proc interface
2018-06-26 08:06:28 +08:00
ipv6
udp: fix rx queue len reported by diag and proc interface
2018-06-26 08:06:28 +08:00
ipx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:10:41 +02:00
kcm
kcm: Fix use-after-free caused by clonned sockets
2018-06-11 22:49:19 +02:00
key
af_key: Always verify length of provided sadb_key
2018-06-16 09:45:14 +02:00
l2tp
l2tp: revert "l2tp: fix missing print session offset info"
2018-05-19 10:20:27 +02:00
l3mdev
lapb
net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
llc
llc: properly handle dev_queue_xmit() return value
2018-05-30 07:52:20 +02:00
mac80211
mac80211: use timeout from the AddBA response instead of the request
2018-06-21 04:02:55 +09:00
mac802154
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-02-22 15:42:28 +01:00
ncsi
net/ncsi: Fix length of GVI response packet
2017-10-21 01:56:38 +01:00
netfilter
netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()
2018-07-08 15:30:49 +02:00
netlabel
netlabel: If PF_INET6, check sk_buff ip header version
2018-05-30 07:52:40 +02:00
netlink
netlink: fix uninit-value in netlink_sendmsg
2018-05-16 10:10:23 +02:00
netrom
net, netrom: convert nr_node.refcount from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
nfc
NFC: llcp: Limit size of SDP URI
2018-05-30 07:51:57 +02:00
nsh
nsh: fix infinite loop
2018-05-19 10:20:26 +02:00
openvswitch
openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
2018-05-19 10:20:24 +02:00
packet
net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan
2018-06-26 08:06:28 +08:00
phonet
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
psample
MAINTAINERS: Update Yotam's E-mail
2017-11-01 12:19:03 +09:00
qrtr
qrtr: add MODULE_ALIAS macro to smd
2018-05-30 07:52:05 +02:00
rds
rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
2018-06-21 04:02:48 +09:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:10:26 +02:00
rose
rxrpc
rxrpc: Fix the min security level for kernel calls
2018-06-21 04:02:56 +09:00
sched
net/sched: act_simple: fix parsing of TCA_DEF_DATA
2018-06-26 08:06:28 +08:00
sctp
sctp: not allow transport timeout value less than HZ/5 for hb_timer
2018-06-11 22:49:20 +02:00
smc
smc: fix sendpage() call
2018-06-21 04:02:53 +09:00
strparser
strparser: Fix incorrect strp->need_bytes value.
2018-04-29 11:33:13 +02:00
sunrpc
xprtrdma: Return -ENOBUFS when no pages are available
2018-07-03 11:24:54 +02:00
switchdev
net: switchdev: Remove bridge bypass support from switchdev
2017-08-07 14:48:48 -07:00
tipc
tipc: eliminate KMSAN uninit-value in strcmp complaint
2018-06-21 04:02:56 +09:00
tls
tls: fix use-after-free in tls_push_record
2018-06-26 08:06:29 +08:00
unix
License cleanup: add SPDX license identifiers to some files
2017-11-02 10:04:46 -07:00
vmw_vsock
VSOCK: fix outdated sk_state value in hvs_release()
2018-02-25 11:07:59 +01:00
wimax
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
wireless
cfg80211: clear wep keys after disconnection
2018-05-30 07:51:58 +02:00
x25
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xfrm
xfrm: Fix transport mode skb control buffer usage.
2018-05-30 07:52:19 +02:00
compat.c
net: support compat 64-bit time in {s,g}etsockopt
2018-05-19 10:20:24 +02:00
Kconfig
net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros.
2017-09-04 13:25:20 +02:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
socket.c
socket: close race condition between sock_close() and sockfs_setattr()
2018-06-26 08:06:28 +08:00
sysctl_net.c
sysctl: Remove dead register_sysctl_root
2017-04-16 23:42:49 -05:00