From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 17 May 2016 01:13:16 +0000 (-0700)
Subject: 4.4-stable patches
X-Git-Tag: v3.14.70~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c422941394239e32ee056d3d1ec75420a9e30f92;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch
---

diff --git a/queue-4.4/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch b/queue-4.4/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch
new file mode 100644
index 00000000000..9bb1788c455
--- /dev/null
+++ b/queue-4.4/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch
@@ -0,0 +1,50 @@
+From 31b0b385f69d8d5491a4bca288e25e63f1d945d0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 14 May 2016 11:11:44 -0700
+Subject: nf_conntrack: avoid kernel pointer value leak in slab name
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 31b0b385f69d8d5491a4bca288e25e63f1d945d0 upstream.
+
+The slab name ends up being visible in the directory structure under
+/sys, and even if you don't have access rights to the file you can see
+the filenames.
+
+Just use a 64-bit counter instead of the pointer to the 'net' structure
+to generate a unique name.
+
+This code will go away in 4.7 when the conntrack code moves to a single
+kmemcache, but this is the backportable simple solution to avoiding
+leaking kernel pointers to user space.
+
+Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_core.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1757,6 +1757,7 @@ void nf_conntrack_init_end(void)
+ 
+ int nf_conntrack_init_net(struct net *net)
+ {
++	static atomic64_t unique_id;
+ 	int ret = -ENOMEM;
+ 	int cpu;
+ 
+@@ -1779,7 +1780,8 @@ int nf_conntrack_init_net(struct net *ne
+ 	if (!net->ct.stat)
+ 		goto err_pcpu_lists;
+ 
+-	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
++				(u64)atomic64_inc_return(&unique_id));
+ 	if (!net->ct.slabname)
+ 		goto err_slabname;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index eb6b070c744..4432e0ddcb7 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -70,3 +70,4 @@ drm-radeon-fix-pll-sharing-on-dce6.1-v2.patch
 drm-i915-bail-out-of-pipe-config-compute-loop-on-lpt.patch
 drm-i915-bdw-add-missing-delay-during-l3-sqc-credit-programming.patch
 drm-radeon-fix-dp-link-training-issue-with-second-4k-monitor.patch
+nf_conntrack-avoid-kernel-pointer-value-leak-in-slab-name.patch