From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Apr 2019 12:24:02 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.9.172~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57f7cf017c316ef1e550a729667159c858f361ce;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch
	nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch
---

diff --git a/queue-3.18/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch b/queue-3.18/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch
new file mode 100644
index 00000000000..d20dabc34ca
--- /dev/null
+++ b/queue-3.18/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch
@@ -0,0 +1,34 @@
+From 7caa56f006e9d712b44f27b32520c66420d5cbc6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 15 Apr 2019 00:43:00 +0200
+Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream.
+
+It means userspace gave us a ruleset where there is some other
+data after the ebtables target but before the beginning of the next rule.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2042,7 +2042,8 @@ static int ebt_size_mwt(struct compat_eb
+ 		if (match_kern)
+ 			match_kern->match_size = ret;
+ 
+-		if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
++		/* rule should have no remaining data after target */
++		if (type == EBT_COMPAT_TARGET && size_left)
+ 			return -EINVAL;
+ 
+ 		match32 = (struct compat_ebt_entry_mwt *) buf;
diff --git a/queue-3.18/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch b/queue-3.18/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch
new file mode 100644
index 00000000000..98202b824ab
--- /dev/null
+++ b/queue-3.18/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch
@@ -0,0 +1,43 @@
+From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 30 Mar 2019 10:21:07 +0900
+Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream.
+
+syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This
+is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family
+(which is embedded into user-visible "struct nfs_mount_data" structure)
+despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6)
+bytes of AF_INET6 address to rpc_sockaddr2uaddr().
+
+Since "struct nfs_mount_data" structure is user-visible, we can't change
+"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore,
+assuming that everybody is using AF_INET family when passing address via
+"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET.
+
+[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c
+
+Reported-by: syzbot <syzbot+047a11c361b872896a4f@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2019,7 +2019,8 @@ static int nfs23_validate_mount_data(voi
+ 		memcpy(sap, &data->addr, sizeof(data->addr));
+ 		args->nfs_server.addrlen = sizeof(data->addr);
+ 		args->nfs_server.port = ntohs(data->addr.sin_port);
+-		if (!nfs_verify_server_address(sap))
++		if (sap->sa_family != AF_INET ||
++		    !nfs_verify_server_address(sap))
+ 			goto out_no_address;
+ 
+ 		if (!(data->flags & NFS_MOUNT_TCP))
diff --git a/queue-3.18/series b/queue-3.18/series
index 43a7ab280f1..bb75873fb69 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -5,3 +5,5 @@ ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch
 sunrpc-don-t-mark-uninitialised-items-as-valid.patch
 slip-make-slhc_free-silently-accept-an-error-pointer.patch
 fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch
+nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch
+netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch