From: Sasha Levin Date: Tue, 6 Aug 2019 22:05:08 +0000 (-0400) Subject: fixes for 4.4 X-Git-Tag: v5.2.8~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b8774058c005c74ac3c38109b057ab32bf6aa9e2;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch b/queue-4.4/netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch new file mode 100644 index 00000000000..20dfa02c345 --- /dev/null +++ b/queue-4.4/netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch @@ -0,0 +1,34 @@ +From d84be8b32a68fa491a016af0afe387391209a69e Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Tue, 3 May 2016 16:39:19 -0400 +Subject: netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter + +[ Upstream commit eda3fc50daa93b08774a18d51883c5a5d8d85e15 ] + +If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is +missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is +required to trigger the bug. + +Signed-off-by: Phil Turnbull +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_acct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c +index 088e8da06b00b..0f3cb410e42ee 100644 +--- a/net/netfilter/nfnetlink_acct.c ++++ b/net/netfilter/nfnetlink_acct.c +@@ -97,6 +97,8 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb, + return -EINVAL; + if (flags & NFACCT_F_OVERQUOTA) + return -EINVAL; ++ if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA]) ++ return -EINVAL; + + size += sizeof(u64); + } +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index ff0e2a29cb0..ad8550b32f6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,2 +1,3 @@ arm64-cpufeature-fix-ctr_el0-field-definitions.patch arm64-cpufeature-fix-feature-comparison-for-ctr_el0..patch +netfilter-nfnetlink_acct-validate-nfacct_quota-param.patch