iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Jianguo Wu d62df86c17 seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors 
[ Upstream commit 9a3bc8d16e0aacd65c31aaf23a2bced3288a7779 ]

input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for
PREROUTING hook, in PREROUTING hook, we should passing a valid indev,
and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer
dereference, as below:

    [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090
    [74830.655633] #PF: supervisor read access in kernel mode
    [74830.657888] #PF: error_code(0x0000) - not-present page
    [74830.659500] PGD 0 P4D 0
    [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI
    ...
    [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]
    ...
    [74830.689725] Call Trace:
    [74830.690402]  <IRQ>
    [74830.690953]  ? show_trace_log_lvl+0x1c4/0x2df
    [74830.692020]  ? show_trace_log_lvl+0x1c4/0x2df
    [74830.693095]  ? ipt_do_table+0x286/0x710 [ip_tables]
    [74830.694275]  ? __die_body.cold+0x8/0xd
    [74830.695205]  ? page_fault_oops+0xac/0x140
    [74830.696244]  ? exc_page_fault+0x62/0x150
    [74830.697225]  ? asm_exc_page_fault+0x22/0x30
    [74830.698344]  ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]
    [74830.699540]  ipt_do_table+0x286/0x710 [ip_tables]
    [74830.700758]  ? ip6_route_input+0x19d/0x240
    [74830.701752]  nf_hook_slow+0x3f/0xb0
    [74830.702678]  input_action_end_dx4+0x19b/0x1e0
    [74830.703735]  ? input_action_end_t+0xe0/0xe0
    [74830.704734]  seg6_local_input_core+0x2d/0x60
    [74830.705782]  lwtunnel_input+0x5b/0xb0
    [74830.706690]  __netif_receive_skb_one_core+0x63/0xa0
    [74830.707825]  process_backlog+0x99/0x140
    [74830.709538]  __napi_poll+0x2c/0x160
    [74830.710673]  net_rx_action+0x296/0x350
    [74830.711860]  __do_softirq+0xcb/0x2ac
    [74830.713049]  do_softirq+0x63/0x90

input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally
trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():

    static bool
    rpfilter_is_loopback(const struct sk_buff *skb,
          	       const struct net_device *in)
    {
            // in is NULL
            return skb->pkt_type == PACKET_LOOPBACK ||
          	 in->flags & IFF_LOOPBACK;
    }

Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane")
Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-06-27 13:49:08 +02:00
..
6lowpan
9p
net/9p: fix uninit-value in p9_client_rpc()
2024-06-16 13:47:41 +02:00
802
8021q
net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb
2024-05-17 12:02:07 +02:00
appletalk
appletalk: Fix Use-After-Free in atalk_ioctl
2023-12-20 17:01:50 +01:00
atm
atm: Fix Use-After-Free in do_vcc_ioctl
2023-12-20 17:01:48 +01:00
ax25
ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put()
2024-06-21 14:38:14 +02:00
batman-adv
batman-adv: bypass empty buckets in batadv_purge_orig_ref()
2024-06-27 13:49:01 +02:00
bluetooth
Bluetooth: fix connection setup in l2cap_connect
2024-06-21 14:38:34 +02:00
bpf
bpf: Set run context for rawtp test_run callback
2024-06-21 14:38:16 +02:00
bpfilter
net: Use umd_cleanup_helper()
2023-05-31 13:06:57 +02:00
bridge
net: bridge: mst: fix suspicious rcu usage in br_mst_set_state
2024-06-21 14:38:36 +02:00
caif
sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)
2023-06-24 15:50:13 -07:00
can
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
2024-02-23 09:25:17 +01:00
ceph
libceph: fail sparse-read if the data length doesn't match
2024-03-01 13:34:56 +01:00
core
netns: Make get_net_ns() handle zero refcount net
2024-06-27 13:49:06 +02:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-01 21:07:46 -07:00
dccp
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 11:59:35 +01:00
devlink
devlink: fix port new reply cmd type
2024-03-26 18:20:11 -04:00
dns_resolver
keys, dns: Fix size check of V1 server-list header
2024-01-25 15:35:41 -08:00
dsa
net: dsa: mark parsed interface mode for legacy switch drivers
2023-08-09 13:08:09 -07:00
ethernet
ethernet: Add helper for assigning packet type when dest address does not match device address
2024-05-02 16:32:46 +02:00
ethtool
net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()
2024-06-21 14:38:20 +02:00
handshake
net/handshake: Fix handshake_req_destroy_test1
2024-02-23 09:24:50 +01:00
hsr
hsr: Simplify code for announcing HSR nodes timer setup
2024-05-17 12:02:24 +02:00
ieee802154
sysctl-6.6-rc1
2023-08-29 17:39:15 -07:00
ife
net: sched: ife: fix potential use-after-free
2024-01-01 12:42:30 +00:00
ipv4
cipso: fix total option length computation
2024-06-27 13:49:06 +02:00
ipv6
seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors
2024-06-27 13:49:08 +02:00
iucv
net/iucv: fix the allocation size of iucv_path_table array
2024-03-26 18:19:12 -04:00
kcm
net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
2024-03-26 18:19:40 -04:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2023-08-18 12:44:56 -07:00
l2tp
net l2tp: drop flow hash on forward
2024-05-17 12:02:02 +02:00
l3mdev
lapb
llc
llc: call sock_orphan() at release time
2024-02-05 20:14:36 +00:00
mac80211
wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
2024-06-21 14:38:13 +02:00
mac802154
mac802154: fix llsec key resources release in mac802154_llsec_key_del
2024-04-03 15:28:27 +02:00
mctp
net: mctp: copy skb ext data when fragmenting
2024-03-26 18:19:34 -04:00
mpls
net: mpls: error out if inner headers are not set
2024-04-13 13:07:41 +02:00
mptcp
mptcp: pm: update add_addr counters after connect
2024-06-21 14:38:38 +02:00
ncsi
net/ncsi: Fix the multi thread manner of NCSI driver
2024-06-21 14:38:14 +02:00
netfilter
netfilter: ipset: Fix suspicious rcu_dereference_protected()
2024-06-27 13:49:08 +02:00
netlabel
calipso: fix memory leak in netlbl_calipso_add_pass()
2024-01-25 15:35:14 -08:00
netlink
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
2024-03-06 14:48:34 +00:00
netrom
netrom: Fix a memory leak in nr_heartbeat_expiry()
2024-06-27 13:49:06 +02:00
nfc
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
2024-06-12 11:12:51 +02:00
nsh
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
2024-05-17 12:02:02 +02:00
openvswitch
openvswitch: Set the skbuff pkt_type for proper pmtud support.
2024-06-12 11:12:49 +02:00
packet
af_packet: avoid a false positive warning in packet_setsockopt()
2024-06-27 13:49:01 +02:00
phonet
phonet: fix rtm_phonet_notify() skb allocation
2024-05-17 12:02:22 +02:00
psample
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
2023-12-13 18:45:10 +01:00
qrtr
net: qrtr: ns: Fix module refcnt
2024-06-12 11:12:12 +02:00
rds
net/rds: fix possible cp null dereference
2024-04-10 16:35:49 +02:00
rfkill
net: rfkill: gpio: set GPIO direction
2024-01-01 12:42:41 +00:00
rose
net/rose: fix races in rose_kill_by_device()
2024-01-01 12:42:31 +00:00
rxrpc
rxrpc: Only transmit one ACK per jumbo packet received
2024-05-17 12:02:23 +02:00
sched
sched: act_ct: add netns into the key of tcf_ct_flow_table
2024-06-27 13:49:07 +02:00
sctp
sctp: fix busy polling
2024-01-25 15:35:30 -08:00
smc
net/smc: avoid overwriting when adjusting sock bufsizes
2024-06-21 14:38:16 +02:00
strparser
sunrpc
SUNRPC: return proper error from gss_wrap_req_priv
2024-06-21 14:38:28 +02:00
switchdev
net: bridge: switchdev: Skip MDB replays of deferred events on offload
2024-03-01 13:35:06 +01:00
tipc
tipc: force a dst refcount before doing decryption
2024-06-27 13:49:07 +02:00
tls
tls: fix missing memory barrier in tls_init
2024-06-12 11:12:50 +02:00
unix
af_unix: Read with MSG_PEEK loops if the first unread byte is OOB
2024-06-21 14:38:36 +02:00
vmw_vsock
vsock/virtio: fix packet delivery to tap device
2024-04-10 16:35:50 +02:00
wireless
wifi: cfg80211: pmsr: use correct nla_get_uX functions
2024-06-21 14:38:12 +02:00
x25
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
2024-03-26 18:19:41 -04:00
xdp
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
2024-04-17 11:19:28 +02:00
xfrm
net: fix __dst_negative_advice() race
2024-06-16 13:47:44 +02:00
compat.c
devres.c
Kconfig
bpf: Add fd-based tcx multi-prog infra with link support
2023-07-19 10:07:27 -07:00
Kconfig.debug
Makefile
socket.c
net: Save and restore msg_namelen in sock_sendmsg
2024-01-10 17:16:51 +01:00
sysctl_net.c
sysctl: Add size to register_net_sysctl function
2023-08-15 15:26:17 -07:00