Received: by 10.192.165.148 with SMTP id m20csp556048imm; Wed, 25 Apr 2018 04:12:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx492kVhElTOA+DblwyjtD/ZJbGZ65pTxV0Zi85p27XaT0NR0s1HAeCeEmKel+0C833h3nfmj X-Received: by 10.99.0.213 with SMTP id 204mr23503547pga.256.1524654744234; Wed, 25 Apr 2018 04:12:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524654744; cv=none; d=google.com; s=arc-20160816; b=vMs14BZiQFUI12P952/Pa/avZuHjG0nYIcZRrhtJhc5ZwZfR0/uYp6rqSHzcJ8a+ON 1NK2azZIKJmGS2GtPoG8UuI3/nO7rqjdi++PgDj6sOX1W4pbRTt/c3AfycHlX5SCI/vW 3vqdknZitvwaE3Fa9WzvwsY1NPG5d1pyYjAvdoJgod/1gMN0ZDb9hvdamXynsDWyt3Fa IfhVTkNnCOsPjuTEwH88HSmAxMJL1oiy1rz7JS1in3NArdqfZZXcAEWS3QcFJY6pQj/1 0tSD6bNAG+CR1PRoOLCgC2GWcUHhSi84N47uTZzW7pqJAfL5OqJKljTXO+xCrYxz5iBQ mA9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ceuDMJow9MJa7o1DqYbVYlD9C6s9R5i6n+IFVMH6ak4=; b=v3P6yKcDX0Jd+EnEn45wKFCHUu+PtkFNvkplJXBSJTBDpTmVgQ1Wze9+X4AbdXI3mP bIXvHnEQZ00sVakrA6BmDSHczxyzgfAW4J7qp6rKNlE7v5fy0gHydrBhm5p6f83bvUd9 5Cu5zEBJtqpQbH1eUThudgjvCKD+CZ/skPRuCh6a8/yTqJM6IcMuXzq0x28Zc896zolY Rbe96ryCfkmTRi8iTd9uFjiTUXwgSTs7XfYzdup4KGI+e4h+kTvzta5qSks/tGWmEibQ /iNRa9ZhB2oZUy3cMnBh9+SHB//dTl5q79YyC5kTRySriY4dWNYGdKy+qrOclVIJLSPZ Ga2w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d3-v6si1992572pll.184.2018.04.25.04.12.09; Wed, 25 Apr 2018 04:12:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754142AbeDYLJv (ORCPT + 99 others); Wed, 25 Apr 2018 07:09:51 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:52364 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752074AbeDYKlX (ORCPT ); Wed, 25 Apr 2018 06:41:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8E7B1481; Wed, 25 Apr 2018 10:41:22 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Vyukov , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 103/183] netfilter: x_tables: fix pointer leaks to userspace Date: Wed, 25 Apr 2018 12:35:23 +0200 Message-Id: <20180425103246.593638345@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180425103242.532713678@linuxfoundation.org> References: <20180425103242.532713678@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dmitry Vyukov [ Upstream commit 1e98ffea5a8935ec040ab72299e349cb44b8defd ] Several netfilter matches and targets put kernel pointers into info objects, but don't set usersize in descriptors. This leads to kernel pointer leaks if a match/target is set and then read back to userspace. Properly set usersize for these matches/targets. Found with manual code inspection. Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") Signed-off-by: Dmitry Vyukov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/xt_IDLETIMER.c | 1 + net/netfilter/xt_LED.c | 1 + net/netfilter/xt_limit.c | 3 +-- net/netfilter/xt_nfacct.c | 1 + net/netfilter/xt_statistic.c | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) --- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -256,6 +256,7 @@ static struct xt_target idletimer_tg __r .family = NFPROTO_UNSPEC, .target = idletimer_tg_target, .targetsize = sizeof(struct idletimer_tg_info), + .usersize = offsetof(struct idletimer_tg_info, timer), .checkentry = idletimer_tg_checkentry, .destroy = idletimer_tg_destroy, .me = THIS_MODULE, --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c @@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __rea .family = NFPROTO_UNSPEC, .target = led_tg, .targetsize = sizeof(struct xt_led_info), + .usersize = offsetof(struct xt_led_info, internal_data), .checkentry = led_tg_check, .destroy = led_tg_destroy, .me = THIS_MODULE, --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c @@ -193,9 +193,8 @@ static struct xt_match limit_mt_reg __re .compatsize = sizeof(struct compat_xt_rateinfo), .compat_from_user = limit_mt_compat_from_user, .compat_to_user = limit_mt_compat_to_user, -#else - .usersize = offsetof(struct xt_rateinfo, prev), #endif + .usersize = offsetof(struct xt_rateinfo, prev), .me = THIS_MODULE, }; --- a/net/netfilter/xt_nfacct.c +++ b/net/netfilter/xt_nfacct.c @@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __r .match = nfacct_mt, .destroy = nfacct_mt_destroy, .matchsize = sizeof(struct xt_nfacct_match_info), + .usersize = offsetof(struct xt_nfacct_match_info, nfacct), .me = THIS_MODULE, }; --- a/net/netfilter/xt_statistic.c +++ b/net/netfilter/xt_statistic.c @@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_r .checkentry = statistic_mt_check, .destroy = statistic_mt_destroy, .matchsize = sizeof(struct xt_statistic_info), + .usersize = offsetof(struct xt_statistic_info, master), .me = THIS_MODULE, };