From: Greg Kroah-Hartman Date: Mon, 20 Jan 2020 11:34:51 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.211~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7317e046cf81e7972d333293a145e4fa90cc066f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch netfilter-fix-a-use-after-free-in-mtype_destroy.patch --- diff --git a/queue-4.9/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-4.9/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch new file mode 100644 index 00000000000..07e7c7a1ba6 --- /dev/null +++ b/queue-4.9/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch @@ -0,0 +1,49 @@ +From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 28 Nov 2019 12:25:45 +0100 +Subject: batman-adv: Fix DAT candidate selection on little endian systems + +From: Sven Eckelmann + +commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream. + +The distributed arp table is using a DHT to store and retrieve MAC address +information for an IP address. This is done using unicast messages to +selected peers. The potential peers are looked up using the IP address and +the VID. + +While the IP address is always stored in big endian byte order, this is not +the case of the VID. It can (depending on the host system) either be big +endian or little endian. The host must therefore always convert it to big +endian to ensure that all devices calculate the same peers for the same +lookup data. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -242,6 +242,7 @@ static u32 batadv_hash_dat(const void *d + u32 hash = 0; + const struct batadv_dat_entry *dat = data; + const unsigned char *key; ++ __be16 vid; + u32 i; + + key = (const unsigned char *)&dat->ip; +@@ -251,7 +252,8 @@ static u32 batadv_hash_dat(const void *d + hash ^= (hash >> 6); + } + +- key = (const unsigned char *)&dat->vid; ++ vid = htons(dat->vid); ++ key = (__force const unsigned char *)&vid; + for (i = 0; i < sizeof(dat->vid); i++) { + hash += key[i]; + hash += (hash << 10); diff --git a/queue-4.9/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch b/queue-4.9/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch new file mode 100644 index 00000000000..b73c2155c02 --- /dev/null +++ b/queue-4.9/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch @@ -0,0 +1,124 @@ +From 212e7f56605ef9688d0846db60c6c6ec06544095 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 11 Jan 2020 23:19:53 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct + +From: Florian Westphal + +commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream. + +An earlier commit (1b789577f655060d98d20e, +"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct") +fixed missing net initialization for arptables, but turns out it was +incomplete. We can get a very similar struct net NULL deref during +error unwinding: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77 + xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175 + cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline] + translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587 + do_replace net/ipv4/netfilter/arp_tables.c:981 [inline] + do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461 + +Also init the netns pointer in xt_tgdtor_param struct. + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -515,12 +515,13 @@ static inline int check_entry_size_and_h + return 0; + } + +-static inline void cleanup_entry(struct arpt_entry *e) ++static void cleanup_entry(struct arpt_entry *e, struct net *net) + { + struct xt_tgdtor_param par; + struct xt_entry_target *t; + + t = arpt_get_target(e); ++ par.net = net; + par.target = t->u.kernel.target; + par.targinfo = t->data; + par.family = NFPROTO_ARP; +@@ -612,7 +613,7 @@ static int translate_table(struct net *n + xt_entry_foreach(iter, entry0, newinfo->size) { + if (i-- == 0) + break; +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + } + return ret; + } +@@ -939,7 +940,7 @@ static int __do_replace(struct net *net, + /* Decrease module usage counts and free resource */ + loc_cpu_old_entry = oldinfo->entries; + xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +@@ -1003,7 +1004,7 @@ static int do_replace(struct net *net, c + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1300,7 +1301,7 @@ static int compat_do_replace(struct net + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1527,7 +1528,7 @@ static int do_arpt_get_ctl(struct sock * + return ret; + } + +-static void __arpt_unregister_table(struct xt_table *table) ++static void __arpt_unregister_table(struct net *net, struct xt_table *table) + { + struct xt_table_info *private; + void *loc_cpu_entry; +@@ -1539,7 +1540,7 @@ static void __arpt_unregister_table(stru + /* Decrease module usage counts and free resources */ + loc_cpu_entry = private->entries; + xt_entry_foreach(iter, loc_cpu_entry, private->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + if (private->number > private->initial_entries) + module_put(table_owner); + xt_free_table_info(private); +@@ -1579,7 +1580,7 @@ int arpt_register_table(struct net *net, + + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); + if (ret != 0) { +- __arpt_unregister_table(new_table); ++ __arpt_unregister_table(net, new_table); + *res = NULL; + } + +@@ -1594,7 +1595,7 @@ void arpt_unregister_table(struct net *n + const struct nf_hook_ops *ops) + { + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +- __arpt_unregister_table(table); ++ __arpt_unregister_table(net, table); + } + + /* The built-in targets: standard (NULL) and error. */ diff --git a/queue-4.9/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-4.9/netfilter-fix-a-use-after-free-in-mtype_destroy.patch new file mode 100644 index 00000000000..e1924e75c16 --- /dev/null +++ b/queue-4.9/netfilter-fix-a-use-after-free-in-mtype_destroy.patch @@ -0,0 +1,36 @@ +From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Fri, 10 Jan 2020 11:53:08 -0800 +Subject: netfilter: fix a use-after-free in mtype_destroy() + +From: Cong Wang + +commit c120959387efa51479056fd01dc90adfba7a590c upstream. + +map->members is freed by ip_set_free() right before using it in +mtype_ext_cleanup() again. So we just have to move it down. + +Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com +Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") +Acked-by: Jozsef Kadlecsik +Signed-off-by: Cong Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h +@@ -66,9 +66,9 @@ mtype_destroy(struct ip_set *set) + if (SET_WITH_TIMEOUT(set)) + del_timer_sync(&map->gc); + +- ip_set_free(map->members); + if (set->dsize && set->extensions & IPSET_EXT_DESTROY) + mtype_ext_cleanup(set); ++ ip_set_free(map->members); + ip_set_free(map); + + set->data = NULL; diff --git a/queue-4.9/series b/queue-4.9/series index d238781bc56..fbfffe8152f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -75,3 +75,6 @@ scsi-fnic-use-kernel-s-pm-format-option-to-print-mac.patch scsi-fnic-fix-invalid-stack-access.patch arm64-dts-agilex-stratix10-fix-pmu-interrupt-numbers.patch cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch +netfilter-fix-a-use-after-free-in-mtype_destroy.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch +batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch