Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp980286imm; Wed, 20 Jun 2018 09:35:33 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ7dTpKE3OtaMlxLoLrWu1cozXwEqoCnRN46OlqfPJp/leDa40mmIiaQ0owRTgqgPztKlyn X-Received: by 2002:a62:ccdc:: with SMTP id j89-v6mr23485921pfk.232.1529512533781; Wed, 20 Jun 2018 09:35:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529512533; cv=none; d=google.com; s=arc-20160816; b=R5ihfpff/DEC6VBF/RTyWngZNgGfNVBQysl1cbZzbSdwsJFQ50Xg07vNfyxf1tGiMF Ah4x6isgXiGbahRI2BB6lnMTzYcPZO1A9SYsl3fphclelbqre03idXxz0ED2WxkpOSm3 wbeJxnD0dOMx7BFAxwN+wloNex3K7Uw140VtM374tLaeVNkysaynMhbT0U92AufKcTfU 4TY16ns8RRgZk8g+bs4csxGEJ3rDRT2wbMp6tpALOQJb3oK/zfBuw6IqtfBHfbNMMeKw 5RfxkDfz852IWegEX8wL2Nm5H4I6bGKLLtJ00JWVb8duaGIzvteBKPQX6IBaYpDQG8s/ PL3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:message-id:date :mime-version:dkim-signature:arc-authentication-results; bh=DqmTyLnVHPCzJLIa+OMwdi01ZbF/3M1QtvmuXjucO80=; b=DYbGIG4wWsL+st7cQtRv+5sqO1bH98A32kzRU84J49pbUpES8g2D1N027x5nEvRMSX zkzNj0xaoiTw+fLrMPP0qn7fp3oZ2zUI+D0yYcyE51CtQf8etsgfzwh27DrbXECVtFCR /najrN9HSjAT3af3YK7AoOLVAxcUor2hbuG4ptrscBDR0x0JXkAu4v/641AB/aSwwRb+ hc1MPxCm34CHMiUnkWGf6Y4EQdS5fmZcHTPoUz3kuF6mTSKYI1oseetFH486wA0sc61U P5fJrSzuvfgSfUi6cf7uBXYB6j7KSsBpCkkB428jaZve4jpQ/CopYolDN+H4SYYpCG1/ Qv2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=q8Ml5Nza; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q72-v6si2691418pfi.183.2018.06.20.09.35.19; Wed, 20 Jun 2018 09:35:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=q8Ml5Nza; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754521AbeFTQdz (ORCPT + 99 others); Wed, 20 Jun 2018 12:33:55 -0400 Received: from mail-qt0-f201.google.com ([209.85.216.201]:41362 "EHLO mail-qt0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754367AbeFTQdx (ORCPT ); Wed, 20 Jun 2018 12:33:53 -0400 Received: by mail-qt0-f201.google.com with SMTP id 12-v6so126996qtq.8 for ; Wed, 20 Jun 2018 09:33:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc; bh=DqmTyLnVHPCzJLIa+OMwdi01ZbF/3M1QtvmuXjucO80=; b=q8Ml5Nzaw1AureZJhKqxa+zwJpJeQ3caHd9B2hp/lwfn3ozKMrKk2YcIyhuSUx5dnK OYZ7rJ6iOVM+UBnJ23PuCjgHdPtSdGnkPR4JB465e1d+RIvMpp6xTQ0wyVkpWpcP6/7w G809vgADq59TlS9AyV/dxZ7+kuD1qeYK3RVu1upy1XSiwLlaX2UGO2iBvljJVOXaFQE/ WPo/vuq2l2zDPDhhhsXtFKES4XMCAmliuLCI//kZTSMLcG90MnBCTcWyr/QptPvf4s/W b8GhF4uAHXUzkb/v1SR3LdVPofGggJMF5pjADGUZiv41S5cwdZNM/97LECtKeVtl5FyO J3bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=DqmTyLnVHPCzJLIa+OMwdi01ZbF/3M1QtvmuXjucO80=; b=Cly5LU07x0b4+BenlhM5J8KTGAhHGADRtFbxspwwbFopA+V3DrRl6icH7mDDwYcJsQ F5t2qzfIMj9Q/4u8I+nXWuprMgCMVhjZn4CXvYE2dMbprf3o4Gsigs7AudVDvpKxwHsE NMaPsOwmU4v9BJ1vKb3Z0RhxmqKvo7EsmewLy2Tn7/82MhIP6Vy/8mu1c6fk0s+P3u7n 4xngUpEtQiyj6NDMHe9UQOE6ZIIga0T+jc0ymo/bp+xf3tCIUjnsEyX7mEXoOxmTussZ t3vr1Lm9o1yNCCTvKSrBgSi+ptHMdhr20+qOcfSghI51MC/gx3cjMXYZb0+0OZ0Lb7S0 cjuA== X-Gm-Message-State: APt69E0ha1qtY7HZQGVbAvID4Tod1hwdXAjjuT71qUynUsBQfU4oR4l8 3HtmE1wChZ6UiYFrjFPHTcJMGSSK1Q== MIME-Version: 1.0 X-Received: by 2002:a0c:8b4a:: with SMTP id d10-v6mr11890635qvc.14.1529512432757; Wed, 20 Jun 2018 09:33:52 -0700 (PDT) Date: Wed, 20 Jun 2018 18:33:45 +0200 Message-Id: <20180620163345.212776-1-jannh@google.com> X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog Subject: [PATCH net] netfilter: nf_log: fix uninit read in nf_log_proc_dostring From: Jann Horn To: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, jannh@google.com Cc: "David S. Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When proc_dostring() is called with a non-zero offset in strict mode, it doesn't just write to the ->data buffer, it also reads. Make sure it doesn't read uninitialized data. Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]") Signed-off-by: Jann Horn --- net/netfilter/nf_log.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 426457047578..2c47f9ec3511 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -424,6 +424,10 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write, if (write) { struct ctl_table tmp = *table; + /* proc_dostring() can append to existing strings, so we need to + * initialize it as an empty string. + */ + buf[0] = '\0'; tmp.data = buf; r = proc_dostring(&tmp, write, buffer, lenp, ppos); if (r) -- 2.18.0.rc1.244.gcf134e6275-goog