--- /dev/null
+From c58dd2dd443c26d856a168db108a0cd11c285bf3 Mon Sep 17 00:00:00 2001
+From: Thomas Graf <tgraf@suug.ch>
+Date: Fri, 4 Apr 2014 17:57:45 +0200
+Subject: netfilter: Can't fail and free after table replacement
+
+From: Thomas Graf <tgraf@suug.ch>
+
+commit c58dd2dd443c26d856a168db108a0cd11c285bf3 upstream.
+
+All xtables variants suffer from the defect that the copy_to_user()
+to copy the counters to user memory may fail after the table has
+already been exchanged and thus exposed. Return an error at this
+point will result in freeing the already exposed table. Any
+subsequent packet processing will result in a kernel panic.
+
+We can't copy the counters before exposing the new tables as we
+want provide the counter state after the old table has been
+unhooked. Therefore convert this into a silent error.
+
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 5 ++---
+ net/ipv4/netfilter/arp_tables.c | 6 ++++--
+ net/ipv4/netfilter/ip_tables.c | 6 ++++--
+ net/ipv6/netfilter/ip6_tables.c | 6 ++++--
+ 4 files changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net
+ if (repl->num_counters &&
+ copy_to_user(repl->counters, counterstmp,
+ repl->num_counters * sizeof(struct ebt_counter))) {
+- ret = -EFAULT;
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
+ }
+- else
+- ret = 0;
+
+ /* decrease module count and free resources */
+ EBT_ENTRY_ITERATE(table->entries, table->entries_size,
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1039,8 +1039,10 @@ static int __do_replace(struct net *net,
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+- sizeof(struct xt_counters) * num_counters) != 0)
+- ret = -EFAULT;
++ sizeof(struct xt_counters) * num_counters) != 0) {
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n");
++ }
+ vfree(counters);
+ xt_table_unlock(t);
+ return ret;
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1227,8 +1227,10 @@ __do_replace(struct net *net, const char
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+- sizeof(struct xt_counters) * num_counters) != 0)
+- ret = -EFAULT;
++ sizeof(struct xt_counters) * num_counters) != 0) {
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
++ }
+ vfree(counters);
+ xt_table_unlock(t);
+ return ret;
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1236,8 +1236,10 @@ __do_replace(struct net *net, const char
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+- sizeof(struct xt_counters) * num_counters) != 0)
+- ret = -EFAULT;
++ sizeof(struct xt_counters) * num_counters) != 0) {
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
++ }
+ vfree(counters);
+ xt_table_unlock(t);
+ return ret;
--- /dev/null
+From 223b02d923ecd7c84cf9780bb3686f455d279279 Mon Sep 17 00:00:00 2001
+From: Andrey Vagin <avagin@openvz.org>
+Date: Fri, 28 Mar 2014 13:54:32 +0400
+Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
+
+From: Andrey Vagin <avagin@openvz.org>
+
+commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
+
+"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
+case it can contain all extensions. Bellow you can find sizes for all
+types of extensions. Their sum is definitely bigger than 256.
+
+nf_ct_ext_types[0]->len = 24
+nf_ct_ext_types[1]->len = 32
+nf_ct_ext_types[2]->len = 24
+nf_ct_ext_types[3]->len = 32
+nf_ct_ext_types[4]->len = 152
+nf_ct_ext_types[5]->len = 2
+nf_ct_ext_types[6]->len = 16
+nf_ct_ext_types[7]->len = 8
+
+I have seen "len" up to 280 and my host has crashes w/o this patch.
+
+The right way to fix this problem is reducing the size of the ecache
+extension (4) and Florian is going to do this, but these changes will
+be quite large to be appropriate for a stable tree.
+
+Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrey Vagin <avagin@openvz.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_conntrack_extend.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_extend.h
++++ b/include/net/netfilter/nf_conntrack_extend.h
+@@ -37,8 +37,8 @@ enum nf_ct_ext_id {
+ /* Extensions: optional stuff which isn't permanently in struct. */
+ struct nf_ct_ext {
+ struct rcu_head rcu;
+- u8 offset[NF_CT_EXT_NUM];
+- u8 len;
++ u16 offset[NF_CT_EXT_NUM];
++ u16 len;
+ char data[0];
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
