]>
Commit | Line | Data |
---|---|---|
36e3f504 SL |
1 | From ae78c9c5e681bfd62037106c229738bcf9bf478c Mon Sep 17 00:00:00 2001 |
2 | From: Francesco Ruggeri <fruggeri@arista.com> | |
3 | Date: Sun, 10 Feb 2019 11:58:29 -0800 | |
4 | Subject: netfilter: compat: initialize all fields in xt_init | |
5 | ||
6 | [ Upstream commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f ] | |
7 | ||
8 | If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init | |
9 | time, the following panic can be caused by running | |
10 | ||
11 | % ebtables -t broute -F BROUTING | |
12 | ||
13 | from a 32-bit user level on a 64-bit kernel. This patch replaces | |
14 | kmalloc_array with kcalloc when allocating xt. | |
15 | ||
16 | [ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920 | |
17 | [ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0 | |
18 | [ 474.693838] Oops: 0000 [#1] SMP | |
19 | [ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1 | |
20 | [ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013 | |
21 | [ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables] | |
22 | [ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d | |
23 | [ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207 | |
24 | [ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249 | |
25 | [ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124 | |
26 | [ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f | |
27 | [ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001 | |
28 | [ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8 | |
29 | [ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700 | |
30 | [ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 | |
31 | [ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0 | |
32 | [ 474.802052] Call Trace: | |
33 | [ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables] | |
34 | [ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables] | |
35 | [ 474.815605] ? try_module_get+0x37/0x42 | |
36 | [ 474.819716] compat_nf_setsockopt+0x4f/0x6d | |
37 | [ 474.824172] compat_ip_setsockopt+0x7e/0x8c | |
38 | [ 474.828641] compat_raw_setsockopt+0x16/0x3a | |
39 | [ 474.833220] compat_sock_common_setsockopt+0x1d/0x24 | |
40 | [ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1 | |
41 | [ 474.843343] ? __check_object_size+0x76/0x19a | |
42 | [ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b | |
43 | [ 474.853276] do_fast_syscall_32+0xaf/0xf6 | |
44 | [ 474.857548] entry_SYSENTER_compat+0x6b/0x7a | |
45 | ||
46 | Signed-off-by: Francesco Ruggeri <fruggeri@arista.com> | |
47 | Acked-by: Florian Westphal <fw@strlen.de> | |
48 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | |
49 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
50 | --- | |
51 | net/netfilter/x_tables.c | 2 +- | |
52 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
53 | ||
54 | diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c | |
55 | index aecadd471e1d..13e1ac333fa4 100644 | |
56 | --- a/net/netfilter/x_tables.c | |
57 | +++ b/net/netfilter/x_tables.c | |
58 | @@ -1899,7 +1899,7 @@ static int __init xt_init(void) | |
59 | seqcount_init(&per_cpu(xt_recseq, i)); | |
60 | } | |
61 | ||
62 | - xt = kmalloc_array(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); | |
63 | + xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); | |
64 | if (!xt) | |
65 | return -ENOMEM; | |
66 | ||
67 | -- | |
68 | 2.19.1 | |
69 |