From: Greg Kroah-Hartman Date: Tue, 12 Mar 2019 18:58:22 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v5.0.2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fcbfbc479aa99fb41473ec384e2b6e910608dd3d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch --- diff --git a/queue-4.4/netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch b/queue-4.4/netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch new file mode 100644 index 00000000000..d1e4c378dd0 --- /dev/null +++ b/queue-4.4/netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch @@ -0,0 +1,99 @@ +From b301f2538759933cf9ff1f7c4f968da72e3f0757 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 24 Mar 2016 21:29:53 +0100 +Subject: netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES + +From: Pablo Neira Ayuso + +commit b301f2538759933cf9ff1f7c4f968da72e3f0757 upstream. + +Make sure the table names via getsockopt GET_ENTRIES is nul-terminated +in ebtables and all the x_tables variants and their respective compat +code. Uncovered by KASAN. + +Reported-by: Baozeng Ding +Signed-off-by: Pablo Neira Ayuso +Cc: Zubin Mithra +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 4 ++++ + net/ipv4/netfilter/arp_tables.c | 2 ++ + net/ipv4/netfilter/ip_tables.c | 2 ++ + net/ipv6/netfilter/ip6_tables.c | 2 ++ + 4 files changed, 10 insertions(+) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1528,6 +1528,8 @@ static int do_ebt_get_ctl(struct sock *s + if (copy_from_user(&tmp, user, sizeof(tmp))) + return -EFAULT; + ++ tmp.name[sizeof(tmp.name) - 1] = '\0'; ++ + t = find_table_lock(net, tmp.name, &ret, &ebt_mutex); + if (!t) + return ret; +@@ -2368,6 +2370,8 @@ static int compat_do_ebt_get_ctl(struct + if (copy_from_user(&tmp, user, sizeof(tmp))) + return -EFAULT; + ++ tmp.name[sizeof(tmp.name) - 1] = '\0'; ++ + t = find_table_lock(net, tmp.name, &ret, &ebt_mutex); + if (!t) + return ret; +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -983,6 +983,7 @@ static int get_entries(struct net *net, + sizeof(struct arpt_get_entries) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); + if (!IS_ERR_OR_NULL(t)) { +@@ -1557,6 +1558,7 @@ static int compat_get_entries(struct net + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + xt_compat_lock(NFPROTO_ARP); + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1171,6 +1171,7 @@ get_entries(struct net *net, struct ipt_ + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + t = xt_find_table_lock(net, AF_INET, get.name); + if (!IS_ERR_OR_NULL(t)) { +@@ -1799,6 +1800,7 @@ compat_get_entries(struct net *net, stru + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + xt_compat_lock(AF_INET); + t = xt_find_table_lock(net, AF_INET, get.name); +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1182,6 +1182,7 @@ get_entries(struct net *net, struct ip6t + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + t = xt_find_table_lock(net, AF_INET6, get.name); + if (!IS_ERR_OR_NULL(t)) { +@@ -1800,6 +1801,7 @@ compat_get_entries(struct net *net, stru + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + xt_compat_lock(AF_INET6); + t = xt_find_table_lock(net, AF_INET6, get.name); diff --git a/queue-4.4/series b/queue-4.4/series index d894bda9312..7bcc705a071 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -119,3 +119,4 @@ arm-dts-exynos-add-minimal-clkout-parameters-to-exynos3250-pmu.patch revert-x86-platform-uv-use-efi_runtime_lock-to-seria.patch arm-dts-exynos-do-not-ignore-real-world-fuse-values-for-thermal-zone-0-on-exynos5420.patch udplite-call-proper-backlog-handlers.patch +netfilter-x_tables-enforce-nul-terminated-table-name-from-getsockopt-get_entries.patch