Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp1417368imm; Thu, 5 Jul 2018 23:01:54 -0700 (PDT) X-Google-Smtp-Source: AAOMgpf1Fglj7S69oXfqFHqGwSKoCofXOHFcfvPQSJ9994iUw56U9/DnmkcoJtg0VeB3/DSX8vEV X-Received: by 2002:a17:902:3c5:: with SMTP id d63-v6mr9218146pld.163.1530856914053; Thu, 05 Jul 2018 23:01:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530856914; cv=none; d=google.com; s=arc-20160816; b=nZj4iGsozmlV+PKPh/P+ong65OJsIWE9w6NxnFi7nsNL06fVZntJBzsh00rEaatEzX sHp95m2Z4zB1VcomsVpI5IEpnyHwbQouIP0jLk8yX8yw83aHS0L5mjqYCzfhv/yUCmNp /8ZGMV3CWR+BiAxR/68jV559TtbINr+DhVlJN1VcPi5d6bgHRWp4eUY1xGOC0qqo0lFW UJ+NNLDvttN24wxHuOJAFOzlVw2sITtqQtNucwiaG8YujRBuUvhk9z3fdId98N8ydCx/ jZ7yjkA9HcCnWoRtsJdYF6DKYbkQG1O7yMyDXZYCI9j9rKpL3HoC7eOhEmsXO4IDIHsX DFDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=YwYRlSzlDQY0OCDxcfruIbTFvS+JYyz6kZRxtxB93vk=; b=a6/4pb8kWOvn3XvzcZbMGdO4w3K0x5CHJ+DbiD1tScx0ZpIzPtE4TwnuWfMgQH+zT0 oWQHJ7vPVJrdfoScBeQMmjCFv2iY/tkfID2fBJa2L77oawV1iA8edGbIEjy094jdyO90 KgyHaQjHwBzHB7NZnX4apppW7d5TfiDQ2iGf7BrxXOKpDOLugLR2iL5PLIq9450bFe8w EWi6AoAihbt+bc/h0knqIPDjruVgIQ6EIBEzXGjnMMsQsh1iTR9FSCl3x7HvxOG2oCOF 8X4d5yi13p38ZQm7okEbWI1u6P4HcFz4wzEIm104RRNrfI+XCUc8Qy0zc5fPEq3dzIc2 LYSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a67-v6si8071539pfb.348.2018.07.05.23.01.40; Thu, 05 Jul 2018 23:01:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934080AbeGFFu6 (ORCPT + 99 others); Fri, 6 Jul 2018 01:50:58 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33128 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933976AbeGFFu4 (ORCPT ); Fri, 6 Jul 2018 01:50:56 -0400 Received: from localhost (D57D388D.static.ziggozakelijk.nl [213.125.56.141]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 5CCC9C8D; Fri, 6 Jul 2018 05:50:55 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , Pablo Neira Ayuso Subject: [PATCH 4.14 28/61] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval Date: Fri, 6 Jul 2018 07:46:52 +0200 Message-Id: <20180706054713.416984485@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180706054712.332416244@linuxfoundation.org> References: <20180706054712.332416244@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Taehee Yoo commit 97a0549b15a0b466c47f6a0143a490a082c64b4e upstream. In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. But correct type is u8. so that sometimes incorrect value is dereferenced. Steps to reproduce: %nft add table ip filter %nft add chain ip filter input { type filter hook input priority 4\; } %nft add rule ip filter input nftrace set 0 %nft monitor Sometimes, we can see trace messages. trace id 16767227 ip filter input packet: iif "enp2s0" ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0 ip ecn not-ect ip trace id 16767227 ip filter input rule nftrace set 0 (verdict continue) trace id 16767227 ip filter input verdict continue trace id 16767227 ip filter input Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nft_meta.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -229,7 +229,7 @@ void nft_meta_set_eval(const struct nft_ struct sk_buff *skb = pkt->skb; u32 *sreg = ®s->data[meta->sreg]; u32 value = *sreg; - u8 pkt_type; + u8 value8; switch (meta->key) { case NFT_META_MARK: @@ -239,15 +239,17 @@ void nft_meta_set_eval(const struct nft_ skb->priority = value; break; case NFT_META_PKTTYPE: - pkt_type = nft_reg_load8(sreg); + value8 = nft_reg_load8(sreg); - if (skb->pkt_type != pkt_type && - skb_pkt_type_ok(pkt_type) && + if (skb->pkt_type != value8 && + skb_pkt_type_ok(value8) && skb_pkt_type_ok(skb->pkt_type)) - skb->pkt_type = pkt_type; + skb->pkt_type = value8; break; case NFT_META_NFTRACE: - skb->nf_trace = !!value; + value8 = nft_reg_load8(sreg); + + skb->nf_trace = !!value8; break; default: WARN_ON(1);