fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.4/netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch b/queue-4.4/netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch
new file mode 100644 (file)
index 0000000..20dfa02
--- /dev/null
+++ b/queue-4.4/netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch
@@ -0,0 +1,34 @@
+From d84be8b32a68fa491a016af0afe387391209a69e Mon Sep 17 00:00:00 2001
+From: Phil Turnbull <phil.turnbull@oracle.com>
+Date: Tue, 3 May 2016 16:39:19 -0400
+Subject: netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
+
+[ Upstream commit eda3fc50daa93b08774a18d51883c5a5d8d85e15 ]
+
+If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is
+missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is
+required to trigger the bug.
+
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_acct.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
+index 088e8da06b00b..0f3cb410e42ee 100644
+--- a/net/netfilter/nfnetlink_acct.c
++++ b/net/netfilter/nfnetlink_acct.c
+@@ -97,6 +97,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
+                       return -EINVAL;
+               if (flags & NFACCT_F_OVERQUOTA)
+                       return -EINVAL;
++              if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
++                      return -EINVAL;
+ 
+               size += sizeof(u64);
+       }
+-- 
+2.20.1
+

diff --git a/queue-4.4/series b/queue-4.4/series
index ff0e2a29cb084d86407bf77072211516c979ae3c..ad8550b32f60d95c79f4d08669adb23d75f5106f 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -1,2 +1,3 @@
 arm64-cpufeature-fix-ctr_el0-field-definitions.patch
 arm64-cpufeature-fix-feature-comparison-for-ctr_el0..patch
+netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch