--- /dev/null
+From e21dba7a4df4d93da237da65a096084b4f2e87b4 Mon Sep 17 00:00:00 2001
+From: Martin Schiller <ms@dev.tdt.de>
+Date: Thu, 9 Jan 2020 07:31:14 +0100
+Subject: net/x25: fix nonblocking connect
+
+From: Martin Schiller <ms@dev.tdt.de>
+
+commit e21dba7a4df4d93da237da65a096084b4f2e87b4 upstream.
+
+This patch fixes 2 issues in x25_connect():
+
+1. It makes absolutely no sense to reset the neighbour and the
+connection state after a (successful) nonblocking call of x25_connect.
+This prevents any connection from being established, since the response
+(call accept) cannot be processed.
+
+2. Any further calls to x25_connect() while a call is pending should
+simply return, instead of creating new Call Request (on different
+logical channels).
+
+This patch should also fix the "KASAN: null-ptr-deref Write in
+x25_connect" and "BUG: unable to handle kernel NULL pointer dereference
+in x25_connect" bugs reported by syzbot.
+
+Signed-off-by: Martin Schiller <ms@dev.tdt.de>
+Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com
+Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/x25/af_x25.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -765,6 +765,10 @@ static int x25_connect(struct socket *so
+ if (sk->sk_state == TCP_ESTABLISHED)
+ goto out;
+
++ rc = -EALREADY; /* Do nothing if call is already in progress */
++ if (sk->sk_state == TCP_SYN_SENT)
++ goto out;
++
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+
+@@ -811,7 +815,7 @@ static int x25_connect(struct socket *so
+ /* Now the loop */
+ rc = -EINPROGRESS;
+ if (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))
+- goto out_put_neigh;
++ goto out;
+
+ rc = x25_wait_for_connection_establishment(sk);
+ if (rc)
--- /dev/null
+From 32c72165dbd0e246e69d16a3ad348a4851afd415 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Kadlecsik=20J=C3=B3zsef?= <kadlec@blackhole.kfki.hu>
+Date: Sun, 19 Jan 2020 22:06:49 +0100
+Subject: netfilter: ipset: use bitmap infrastructure completely
+
+From: Kadlecsik József <kadlec@blackhole.kfki.hu>
+
+commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream.
+
+The bitmap allocation did not use full unsigned long sizes
+when calculating the required size and that was triggered by KASAN
+as slab-out-of-bounds read in several places. The patch fixes all
+of them.
+
+Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com
+Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com
+Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com
+Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com
+Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com
+Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com
+Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter/ipset/ip_set.h | 7 -------
+ net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 6 +++---
+ net/netfilter/ipset/ip_set_bitmap_ipmac.c | 6 +++---
+ net/netfilter/ipset/ip_set_bitmap_port.c | 6 +++---
+ 5 files changed, 10 insertions(+), 17 deletions(-)
+
+--- a/include/linux/netfilter/ipset/ip_set.h
++++ b/include/linux/netfilter/ipset/ip_set.h
+@@ -451,13 +451,6 @@ ip6addrptr(const struct sk_buff *skb, bo
+ sizeof(*addr));
+ }
+
+-/* Calculate the bytes required to store the inclusive range of a-b */
+-static inline int
+-bitmap_bytes(u32 a, u32 b)
+-{
+- return 4 * ((((b - a + 8) / 8) + 3) / 4);
+-}
+-
+ #include <linux/netfilter/ipset/ip_set_timeout.h>
+ #include <linux/netfilter/ipset/ip_set_comment.h>
+ #include <linux/netfilter/ipset/ip_set_counter.h>
+--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
+@@ -79,7 +79,7 @@ mtype_flush(struct ip_set *set)
+
+ if (set->extensions & IPSET_EXT_DESTROY)
+ mtype_ext_cleanup(set);
+- memset(map->members, 0, map->memsize);
++ bitmap_zero(map->members, map->elements);
+ set->elements = 0;
+ set->ext_size = 0;
+ }
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -40,7 +40,7 @@ MODULE_ALIAS("ip_set_bitmap:ip");
+
+ /* Type structure */
+ struct bitmap_ip {
+- void *members; /* the set members */
++ unsigned long *members; /* the set members */
+ u32 first_ip; /* host byte order, included in range */
+ u32 last_ip; /* host byte order, included in range */
+ u32 elements; /* number of max elements in the set */
+@@ -223,7 +223,7 @@ init_map_ip(struct ip_set *set, struct b
+ u32 first_ip, u32 last_ip,
+ u32 elements, u32 hosts, u8 netmask)
+ {
+- map->members = ip_set_alloc(map->memsize);
++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
+ if (!map->members)
+ return false;
+ map->first_ip = first_ip;
+@@ -313,7 +313,7 @@ bitmap_ip_create(struct net *net, struct
+ if (!map)
+ return -ENOMEM;
+
+- map->memsize = bitmap_bytes(0, elements - 1);
++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_ip;
+ if (!init_map_ip(set, map, first_ip, last_ip,
+ elements, hosts, netmask)) {
+--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+@@ -46,7 +46,7 @@ enum {
+
+ /* Type structure */
+ struct bitmap_ipmac {
+- void *members; /* the set members */
++ unsigned long *members; /* the set members */
+ u32 first_ip; /* host byte order, included in range */
+ u32 last_ip; /* host byte order, included in range */
+ u32 elements; /* number of max elements in the set */
+@@ -303,7 +303,7 @@ static bool
+ init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
+ u32 first_ip, u32 last_ip, u32 elements)
+ {
+- map->members = ip_set_alloc(map->memsize);
++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
+ if (!map->members)
+ return false;
+ map->first_ip = first_ip;
+@@ -364,7 +364,7 @@ bitmap_ipmac_create(struct net *net, str
+ if (!map)
+ return -ENOMEM;
+
+- map->memsize = bitmap_bytes(0, elements - 1);
++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_ipmac;
+ if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
+ kfree(map);
+--- a/net/netfilter/ipset/ip_set_bitmap_port.c
++++ b/net/netfilter/ipset/ip_set_bitmap_port.c
+@@ -34,7 +34,7 @@ MODULE_ALIAS("ip_set_bitmap:port");
+
+ /* Type structure */
+ struct bitmap_port {
+- void *members; /* the set members */
++ unsigned long *members; /* the set members */
+ u16 first_port; /* host byte order, included in range */
+ u16 last_port; /* host byte order, included in range */
+ u32 elements; /* number of max elements in the set */
+@@ -208,7 +208,7 @@ static bool
+ init_map_port(struct ip_set *set, struct bitmap_port *map,
+ u16 first_port, u16 last_port)
+ {
+- map->members = ip_set_alloc(map->memsize);
++ map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN);
+ if (!map->members)
+ return false;
+ map->first_port = first_port;
+@@ -248,7 +248,7 @@ bitmap_port_create(struct net *net, stru
+ return -ENOMEM;
+
+ map->elements = elements;
+- map->memsize = bitmap_bytes(0, map->elements);
++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_port;
+ if (!init_map_port(set, map, first_port, last_port)) {
+ kfree(map);
--- /dev/null
+From 826035498ec14b77b62a44f0cb6b94d45530db6f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 21 Jan 2020 16:07:00 +0100
+Subject: netfilter: nf_tables: add __nft_chain_type_get()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 826035498ec14b77b62a44f0cb6b94d45530db6f upstream.
+
+This new helper function validates that unknown family and chain type
+coming from userspace do not trigger an out-of-bound array access. Bail
+out in case __nft_chain_type_get() returns NULL from
+nft_chain_parse_hook().
+
+Fixes: 9370761c56b6 ("netfilter: nf_tables: convert built-in tables/chains to chain types")
+Reported-by: syzbot+156a04714799b1d480bc@syzkaller.appspotmail.com
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -472,14 +472,27 @@ static inline u64 nf_tables_alloc_handle
+ static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
+
+ static const struct nft_chain_type *
++__nft_chain_type_get(u8 family, enum nft_chain_types type)
++{
++ if (family >= NFPROTO_NUMPROTO ||
++ type >= NFT_CHAIN_T_MAX)
++ return NULL;
++
++ return chain_type[family][type];
++}
++
++static const struct nft_chain_type *
+ __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
+ {
++ const struct nft_chain_type *type;
+ int i;
+
+ for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
+- if (chain_type[family][i] != NULL &&
+- !nla_strcmp(nla, chain_type[family][i]->name))
+- return chain_type[family][i];
++ type = __nft_chain_type_get(family, i);
++ if (!type)
++ continue;
++ if (!nla_strcmp(nla, type->name))
++ return type;
+ }
+ return NULL;
+ }
+@@ -1050,11 +1063,8 @@ static void nf_tables_table_destroy(stru
+
+ void nft_register_chain_type(const struct nft_chain_type *ctype)
+ {
+- if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
+- return;
+-
+ nfnl_lock(NFNL_SUBSYS_NFTABLES);
+- if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
++ if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
+ nfnl_unlock(NFNL_SUBSYS_NFTABLES);
+ return;
+ }
+@@ -1511,7 +1521,10 @@ static int nft_chain_parse_hook(struct n
+ hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
+ hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
+
+- type = chain_type[family][NFT_CHAIN_T_DEFAULT];
++ type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
++ if (!type)
++ return -EOPNOTSUPP;
++
+ if (nla[NFTA_CHAIN_TYPE]) {
+ type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
+ family, autoload);
projects / thirdparty / kernel / stable-queue.git / commitdiff
