Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2338530ybz; Thu, 23 Apr 2020 16:18:11 -0700 (PDT) X-Google-Smtp-Source: APiQypJChRQvB/HhWHY8on5YrjbhgWGF59xNcJURcd02oD8gt/gbavPCgPkHom0KaJpmVARRgvkY X-Received: by 2002:a17:906:4f8b:: with SMTP id o11mr4901562eju.268.1587683891306; Thu, 23 Apr 2020 16:18:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587683891; cv=none; d=google.com; s=arc-20160816; b=hRtQFGdusVrIM5xI98XEqNQJW0rqwKCtw2+8ZD7TEA+9+n2eGPJ+Cu7jezC3Vb2Lta uoRwGeCPPtIRWmA195aUAaAudGXUTYOOwroaZVGxq3yVQU4T/6kO37lcuVHju7021ApH 7vZEeldVk5fsi6J3u0XgqaYcEsCrDbargdgVlD3vBkBgQQyKfYxK4iSj975mZYtjA1JY hvtei6KaKATKRFPymBLHjJwt0ObMPfqTl8tckiPMic1wHxtGiHRoJ7rjBo3+gFfGTM0B onNLZN07r74R0q1IE3ZooVLmXSOZm1YHrfpaj7hHayASNq9hY65vPTypGGKDbGwGECCv O4gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=yNkpobLAwZdZ1QuAZ1XcL2ZQrYsOPXMqZAYq54TghkU=; b=xePFzx0WJIeJfvEue5a3fCHnBWbf0fMX4D7unHevgt8ahcvzwnmvU7Xut/QITLd1Ia TK2t8NGyXb2qVdMuDQ1VNWvk7201Aqggvgcscnp7//kaAQFEnkqEvDI2Rz/7Wnj6wkVY oBY7McQf3A7Gva2oFfRbVUSYCrPogP7QkJXeIZrixIiaj+UqsGEGI0BVaPJM2XtTC+5l Jlb7jC7InlmrkUTuxQSZiarQuobNqispx0qMaMS8Sohnlxq0YWiet428PEBsVsWElJUt 6qKAGufxg9cskOr0duVZqWVILfc2gYUbKeu44ieeERglb6C9TYAPFh2jGMcG49CVK5kK r+xQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id me3si2089213ejb.250.2020.04.23.16.17.48; Thu, 23 Apr 2020 16:18:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729402AbgDWXN0 (ORCPT + 99 others); Thu, 23 Apr 2020 19:13:26 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49994 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728484AbgDWXGu (ORCPT ); Thu, 23 Apr 2020 19:06:50 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvX-0004mB-OV; Fri, 24 Apr 2020 00:06:39 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvU-00E6uT-2c; Fri, 24 Apr 2020 00:06:36 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Florian Westphal" , "Pablo Neira Ayuso" , syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com, "Jozsef Kadlecsik" Date: Fri, 24 Apr 2020 00:06:32 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 165/245] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream. The set uadt functions assume lineno is never NULL, but it is in case of ip_set_utest(). syzkaller managed to generate a netlink message that calls this with LINENO attr present: general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104 Call Trace: ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563 pass a dummy lineno storage, its easier than patching all set implementations. This seems to be a day-0 bug. Cc: Jozsef Kadlecsik Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support") Signed-off-by: Florian Westphal Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/netfilter/ipset/ip_set_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1549,6 +1549,7 @@ ip_set_utest(struct sock *ctnl, struct s struct ip_set *set; struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; int ret = 0; + u32 lineno; if (unlikely(protocol_failed(attr) || attr[IPSET_ATTR_SETNAME] == NULL || @@ -1565,7 +1566,7 @@ ip_set_utest(struct sock *ctnl, struct s return -IPSET_ERR_PROTOCOL; read_lock_bh(&set->lock); - ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0); + ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0); read_unlock_bh(&set->lock); /* Userspace can't trigger element to be re-added */ if (ret == -EAGAIN)