linux

iv/linux

History

Eric Dumazet 89242d9584 netfilter: complete validation of user input

[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]

In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.

In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:

if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
        return -EINVAL;

Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

2024-04-17 11:19:30 +02:00

bpfilter

net: Use umd_cleanup_helper()

2023-05-31 13:06:57 +02:00

netfilter

netfilter: complete validation of user input

2024-04-17 11:19:30 +02:00

af_inet.c

inet: read sk->sk_family once in inet_recv_error()

2024-02-16 19:10:49 +01:00

ah4.c

net: ipv4: Remove completion function scaffolding

2023-02-13 18:35:15 +08:00

arp.c

arp: Prevent overflow in arp_req_get().

2024-03-01 13:35:08 +01:00

bpf_tcp_ca.c

bpf: Drop useless btf_vmlinux in bpf_tcp_ca

2023-07-18 17:31:10 -07:00

cipso_ipv4.c

inet: move inet->is_icsk to inet->inet_flags

2023-08-16 11:09:17 +01:00

datagram.c

ipv4: fix data-races around inet->inet_id

2023-08-20 11:40:49 +01:00

devinet.c

ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid

2024-03-01 13:35:07 +01:00

esp4_offload.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2023-06-22 18:40:38 -07:00

esp4.c

net: esp: fix bad handling of pages from page_pool

2024-04-03 15:28:35 +02:00

fib_frontend.c

ipv4: Fix incorrect table ID in IOCTL path

2023-03-16 17:26:31 -07:00

fib_lookup.h

…

fib_notifier.c

…

fib_rules.c

…

fib_semantics.c

ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr

2023-10-18 18:11:31 -07:00

fib_trie.c

ipv4/fib: send notify when delete source address routes

2023-10-03 09:00:40 +02:00

fou_bpf.c

bpf,fou: Add bpf_skb_{set,get}_fou_encap kfuncs

2023-04-12 16:40:39 -07:00

fou_core.c

bpf,fou: Add bpf_skb_{set,get}_fou_encap kfuncs

2023-04-12 16:40:39 -07:00

fou_nl.c

net: ynl: prefix uAPI header include with uapi/

2023-05-26 10:30:14 +01:00

fou_nl.h

net: ynl: prefix uAPI header include with uapi/

2023-05-26 10:30:14 +01:00

gre_demux.c

…

gre_offload.c

net: move gso declarations and functions to their own files

2023-06-10 00:11:41 -07:00

icmp.c

icmp: guard against too small mtu

2023-03-31 21:37:06 -07:00

igmp.c

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

2023-12-08 08:52:21 +01:00

inet_connection_sock.c

tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses.

2024-04-10 16:35:53 +02:00

inet_diag.c

inet_diag: annotate data-races around inet_diag_table[]

2024-03-26 18:19:22 -04:00

inet_fragment.c

inet: inet_defrag: prevent sk release while still in use

2024-04-10 16:35:44 +02:00

inet_hashtables.c

tcp: Fix refcnt handling in __inet_hash_connect().

2024-03-26 18:20:08 -04:00

inet_timewait_sock.c

tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()

2024-03-26 18:20:07 -04:00

inetpeer.c

…

ip_forward.c

net: ipv4, ipv6: fix IPSTATS_MIB_OUTOCTETS increment duplicated

2023-08-30 09:44:09 +01:00

ip_fragment.c

inet: inet_defrag: prevent sk release while still in use

2024-04-10 16:35:44 +02:00

ip_gre.c

erspan: make sure erspan_base_hdr is present in skb->head

2024-04-10 16:35:53 +02:00

ip_input.c

ipv4: ignore dst hint for multipath routes

2023-09-01 08:11:51 +01:00

ip_options.c

…

ip_output.c

net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams.

2024-04-03 15:28:39 +02:00

ip_sockglue.c

ipmr: fix kernel panic when forwarding mcast packets

2024-02-05 20:14:35 +00:00

ip_tunnel_core.c

tunnels: fix out of bounds access when building IPv6 PMTU error

2024-02-16 19:10:48 +01:00

ip_tunnel.c

net: add netdev_lockdep_set_classes() to virtual drivers

2024-04-13 13:07:30 +02:00

ip_vti.c

ip_vti: fix potential slab-use-after-free in decode_session6

2023-07-11 11:06:08 +02:00

ipcomp.c

xfrm: ipcomp: add extack to ipcomp{4,6}_init_state

2022-09-29 07:18:00 +02:00

ipconfig.c

net: ipconfig: move ic_nameservers_fallback into #ifdef block

2023-05-22 11:17:55 +01:00

ipip.c

ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices

2023-04-12 16:40:39 -07:00

ipmr_base.c

…

ipmr.c

ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function

2024-03-26 18:19:40 -04:00

Kconfig

tcp: configurable source port perturb table size

2022-11-16 13:02:04 +00:00

Makefile

bpf,fou: Add bpf_skb_{set,get}_fou_encap kfuncs

2023-04-12 16:40:39 -07:00

metrics.c

ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()

2023-01-23 21:37:25 -08:00

netfilter.c

…

netlink.c

…

nexthop.c

nexthop: Do not increment dump sentinel at the end of the dump

2023-08-15 18:54:53 -07:00

ping.c

bpf: Propagate modified uaddrlen from cgroup sockaddr programs

2024-01-31 16:19:04 -08:00

proc.c

net: fix IPSTATS_MIB_OUTPKGS increment in OutForwDatagrams.

2024-04-03 15:28:39 +02:00

protocol.c

…

raw_diag.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2023-04-06 12:01:20 -07:00

raw.c

ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels

2024-03-26 18:20:11 -04:00

route.c

ipv4/route: avoid unused-but-set-variable warning

2024-04-17 11:19:29 +02:00

syncookies.c

tcp: fix cookie_init_timestamp() overflows

2023-11-20 11:59:01 +01:00

sysctl_net_ipv4.c

networking: Update to register_net_sysctl_sz

2023-08-15 15:26:18 -07:00

tcp_bbr.c

bpf: Add __bpf_kfunc tag to all kfuncs

2023-02-02 00:25:14 +01:00

tcp_bic.c

…

tcp_bpf.c

tcp_bpf: properly release resources on error paths

2023-10-18 18:09:31 -07:00

tcp_cdg.c

Random number generator fixes for Linux 6.1-rc1.

2022-10-16 15:27:07 -07:00

tcp_cong.c

net: Update an existing TCP congestion control algorithm.

2023-03-22 22:53:00 -07:00

tcp_cubic.c

bpf: Add __bpf_kfunc tag to all kfuncs

2023-02-02 00:25:14 +01:00

tcp_dctcp.c

bpf: Add __bpf_kfunc tag to all kfuncs

2023-02-02 00:25:14 +01:00

tcp_dctcp.h

…

tcp_diag.c

tcp: Access &tcp_hashinfo via net.

2022-09-20 10:21:49 -07:00

tcp_fastopen.c

inet: move inet->defer_connect to inet->inet_flags

2023-08-16 11:09:18 +01:00

tcp_highspeed.c

…

tcp_htcp.c

…

tcp_hybla.c

…

tcp_illinois.c

…

tcp_input.c

tcp: do not accept ACK of bytes we never sent

2023-12-13 18:45:10 +01:00

tcp_ipv4.c

bpf: Propagate modified uaddrlen from cgroup sockaddr programs

2024-01-31 16:19:04 -08:00

tcp_lp.c

…

tcp_metrics.c

tcp_metrics: do not create an entry from tcp_init_metrics()

2023-11-20 11:58:59 +01:00

tcp_minisocks.c

rds: tcp: Fix use-after-free of net in reqsk_timer_handler().

2024-03-26 18:20:08 -04:00

tcp_nv.c

…

tcp_offload.c

net: move gso declarations and functions to their own files

2023-06-10 00:11:41 -07:00

tcp_output.c

tcp: derive delack_max from rto_min

2024-01-10 17:16:54 +01:00

tcp_plb.c

prandom: remove prandom_u32_max()

2022-12-20 03:13:45 +01:00

tcp_rate.c

…

tcp_recovery.c

tcp: fix excessive TLP and RACK timeouts from HZ rounding

2023-10-17 17:25:42 -07:00

tcp_scalable.c

…

tcp_timer.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2023-08-18 12:44:56 -07:00

tcp_ulp.c

net/ulp: use consistent error code when blocking ULP

2023-01-19 09:26:16 -08:00

tcp_vegas.c

…

tcp_vegas.h

…

tcp_veno.c

…

tcp_westwood.c

…

tcp_yeah.c

…

tcp.c

tcp: properly terminate timers for kernel sockets

2024-04-10 16:35:42 +02:00

tunnel4.c

…

udp_bpf.c

bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser()

2023-03-03 17:25:15 +01:00

udp_diag.c

udp: Access &udp_table via net.

2022-11-16 09:43:35 +00:00

udp_impl.h

sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)

2023-06-24 15:50:13 -07:00

udp_offload.c

udp: prevent local UDP tunnel packets from being GROed

2024-04-10 16:35:54 +02:00

udp_tunnel_core.c

udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO

2023-11-20 11:58:56 +01:00

udp_tunnel_nic.c

udp_tunnel: Add checks for nla_nest_start() in __udp_tunnel_nic_dump_write()

2022-11-29 08:44:24 -08:00

udp_tunnel_stub.c

…

udp.c

udp: do not accept non-tunnel GSO skbs landing in a tunnel

2024-04-10 16:35:53 +02:00

udplite.c

udplite: remove UDPLITE_BIT

2023-11-20 11:58:56 +01:00

xfrm4_input.c

udp: annotate data-races around udp->encap_type

2023-11-20 11:58:56 +01:00

xfrm4_output.c

…

xfrm4_policy.c

sysctl-6.6-rc1

2023-08-29 17:39:15 -07:00

xfrm4_protocol.c

…

xfrm4_state.c

…

xfrm4_tunnel.c

xfrm: tunnel: add extack to ipip_init_state, xfrm6_tunnel_init_state

2022-09-29 07:18:00 +02:00