iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Vasily Averin 82e85c0e7f netfilter: x_tables: gpf inside xt_find_revision() 
commit 8e24edddad152b998b37a7f583175137ed2e04a5 upstream.

nested target/match_revfn() calls work with xt[NFPROTO_UNSPEC] lists
without taking xt[NFPROTO_UNSPEC].mutex. This can race with module unload
and cause host to crash:

general protection fault: 0000 [#1]
Modules linked in: ... [last unloaded: xt_cluster]
CPU: 0 PID: 542455 Comm: iptables
RIP: 0010:[<ffffffff8ffbd518>]  [<ffffffff8ffbd518>] strcmp+0x18/0x40
RDX: 0000000000000003 RSI: ffff9a5a5d9abe10 RDI: dead000000000111
R13: ffff9a5a5d9abe10 R14: ffff9a5a5d9abd8c R15: dead000000000100
(VvS: %R15 -- &xt_match,  %RDI -- &xt_match.name,
xt_cluster unregister match in xt[NFPROTO_UNSPEC].match list)
Call Trace:
 [<ffffffff902ccf44>] match_revfn+0x54/0xc0
 [<ffffffff902ccf9f>] match_revfn+0xaf/0xc0
 [<ffffffff902cd01e>] xt_find_revision+0x6e/0xf0
 [<ffffffffc05a5be0>] do_ipt_get_ctl+0x100/0x420 [ip_tables]
 [<ffffffff902cc6bf>] nf_getsockopt+0x4f/0x70
 [<ffffffff902dd99e>] ip_getsockopt+0xde/0x100
 [<ffffffff903039b5>] raw_getsockopt+0x25/0x50
 [<ffffffff9026c5da>] sock_common_getsockopt+0x1a/0x20
 [<ffffffff9026b89d>] SyS_getsockopt+0x7d/0xf0
 [<ffffffff903cbf92>] system_call_fastpath+0x25/0x2a

Fixes: 656caff20e1 ("netfilter 04/09: x_tables: fix match/target revision lookup")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-03-17 17:03:32 +01:00
..
6lowpan
6lowpan: no need to check return value of debugfs_create functions
2019-07-06 12:50:01 +02:00
9p
net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid
2020-11-05 11:43:20 +01:00
802
8021q
net: vlan: avoid leaks on register_vlan_dev() failures
2021-01-17 14:05:31 +01:00
appletalk
appletalk: Fix atalk_proc_init() return path
2020-08-11 15:33:40 +02:00
atm
atm: fix a memory leak of vcc->user_back
2020-10-01 13:17:58 +02:00
ax25
AX.25: Prevent integer overflows in connect and sendmsg
2020-07-31 18:39:31 +02:00
batman-adv
batman-adv: set .owner to THIS_MODULE
2020-12-02 08:49:50 +01:00
bluetooth
Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
2021-03-07 12:20:45 +01:00
bpf
bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN
2019-07-25 18:00:41 -07:00
bpfilter
net/bpfilter: remove superfluous testing message
2020-04-21 09:04:53 +02:00
bridge
net: bridge: use switchdev for port flags set through sysfs too
2021-03-07 12:20:43 +01:00
caif
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
can
can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check
2020-12-11 13:23:32 +01:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-11-05 11:43:34 +01:00
core
pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
2021-03-07 12:20:44 +01:00
dcb
net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
2021-01-23 15:57:59 +01:00
dccp
dccp: Fix possible memleak in dccp_init and dccp_fini
2020-06-17 16:40:32 +02:00
decnet
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:18:58 +01:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:36:45 +02:00
dsa
net: dsa: add GRO support via gro_cells
2021-03-11 14:06:48 +01:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:20:06 +01:00
hsr
hsr: check protocol version in hsr_newlink()
2020-04-21 09:04:44 +02:00
ieee802154
nl802154: add missing attribute validation for dev_type
2020-03-18 07:17:44 +01:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
tcp: add sanity tests to TCP_QUEUE_SEQ
2021-03-17 17:03:32 +01:00
ipv6
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
2021-03-04 10:26:53 +01:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:20:42 +01:00
kcm
kcm: disable preemption in kcm_parse_func_strparser()
2019-09-27 10:27:14 +02:00
key
af_key: relax availability checks for skb size calculation
2021-02-13 13:52:54 +01:00
l2tp
l2tp: remove skb_dst_set() from l2tp_xmit_skb()
2020-07-22 09:32:47 +02:00
l3mdev
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:25:28 +01:00
llc
net: silence data-races on sk_backlog.tail
2020-10-01 13:17:15 +02:00
mac80211
mac80211: fix potential overflow when multiplying to u32 integers
2021-03-04 10:26:17 +01:00
mac802154
mac802154: tx: fix use-after-free
2020-10-01 13:18:17 +02:00
mpls
net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
2021-03-17 17:03:31 +01:00
ncsi
net/ncsi: Use real net-device for response handler
2021-01-12 20:16:13 +01:00
netfilter
netfilter: x_tables: gpf inside xt_find_revision()
2021-03-17 17:03:32 +01:00
netlabel
netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist()
2020-11-24 13:28:57 +01:00
netlink
genetlink: remove genl_bind
2020-07-22 09:32:46 +02:00
netrom
net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
2020-04-29 16:33:08 +02:00
nfc
NFC: fix possible resource leak
2021-02-03 23:26:01 +01:00
nsh
openvswitch
net: openvswitch: ensure LSE is pullable before reading it
2020-12-08 10:40:27 +01:00
packet
net/packet: fix overflow in tpacket_rcv
2020-09-09 19:12:29 +02:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
psample
net: psample: fix skb_over_panic
2019-12-04 22:30:54 +01:00
qrtr
net: qrtr: Fix memory leak in qrtr_tun_open
2021-03-04 10:26:53 +01:00
rds
net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
2021-02-17 10:35:19 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-24 13:29:05 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-12-08 10:40:23 +01:00
rxrpc
rxrpc: Fix clearance of Tx/Rx ring when releasing a call
2021-02-17 10:35:18 +01:00
sched
net: sched: fix police ext initialization
2021-03-04 10:26:53 +01:00
sctp
net: fix iteration for sctp transport seq_files
2021-02-17 10:35:19 +01:00
smc
net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid()
2020-11-24 13:28:58 +01:00
strparser
sunrpc
SUNRPC: Handle 0 length opaque XDR object data properly
2021-02-13 13:52:56 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:35:46 +01:00
tipc
tipc: fix NULL deref in tipc_link_xmit()
2021-01-23 15:58:00 +01:00
tls
net/tls: Protect from calling tls_dev_del for TLS RX twice
2020-12-08 10:40:23 +01:00
unix
skbuff: fix a data race in skb_queue_len()
2020-10-01 13:17:31 +02:00
vmw_vsock
vsock: fix locking in vsock_shutdown()
2021-02-17 10:35:19 +01:00
wimax
wimax: no need to check return value of debugfs_create functions
2019-08-10 15:25:47 -07:00
wireless
wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
2021-02-03 23:25:56 +01:00
x25
net/x25: prevent a couple of overflows
2020-12-08 10:40:26 +01:00
xdp
xsk: Replace datagram_poll by sock_poll_wait
2020-12-30 11:50:53 +01:00
xfrm
xfrm: interface: use icmp_ndo_send helper
2021-03-04 10:26:53 +01:00
compat.c
net/compat: Add missing sock updates for SCM_RIGHTS
2020-08-21 13:05:25 +02:00
Kconfig
net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
2020-04-01 11:02:18 +02:00
Makefile
socket.c
net: Set fput_needed iff FDPUT_FPUT is set
2020-08-19 08:16:22 +02:00
sysctl_net.c