--- /dev/null
+From c58dd2dd443c26d856a168db108a0cd11c285bf3 Mon Sep 17 00:00:00 2001
+From: Thomas Graf <tgraf@suug.ch>
+Date: Fri, 4 Apr 2014 17:57:45 +0200
+Subject: netfilter: Can't fail and free after table replacement
+
+From: Thomas Graf <tgraf@suug.ch>
+
+commit c58dd2dd443c26d856a168db108a0cd11c285bf3 upstream.
+
+All xtables variants suffer from the defect that the copy_to_user()
+to copy the counters to user memory may fail after the table has
+already been exchanged and thus exposed. Return an error at this
+point will result in freeing the already exposed table. Any
+subsequent packet processing will result in a kernel panic.
+
+We can't copy the counters before exposing the new tables as we
+want provide the counter state after the old table has been
+unhooked. Therefore convert this into a silent error.
+
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 5 ++---
+ net/ipv4/netfilter/arp_tables.c | 6 ++++--
+ net/ipv4/netfilter/ip_tables.c | 6 ++++--
+ net/ipv6/netfilter/ip6_tables.c | 6 ++++--
+ 4 files changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net
+ if (repl->num_counters &&
+ copy_to_user(repl->counters, counterstmp,
+ repl->num_counters * sizeof(struct ebt_counter))) {
+- ret = -EFAULT;
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
+ }
+- else
+- ret = 0;
+
+ /* decrease module count and free resources */
+ EBT_ENTRY_ITERATE(table->entries, table->entries_size,
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1044,8 +1044,10 @@ static int __do_replace(struct net *net,
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+- sizeof(struct xt_counters) * num_counters) != 0)
+- ret = -EFAULT;
++ sizeof(struct xt_counters) * num_counters) != 0) {
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n");
++ }
+ vfree(counters);
+ xt_table_unlock(t);
+ return ret;
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1231,8 +1231,10 @@ __do_replace(struct net *net, const char
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+- sizeof(struct xt_counters) * num_counters) != 0)
+- ret = -EFAULT;
++ sizeof(struct xt_counters) * num_counters) != 0) {
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
++ }
+ vfree(counters);
+ xt_table_unlock(t);
+ return ret;
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1241,8 +1241,10 @@ __do_replace(struct net *net, const char
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+- sizeof(struct xt_counters) * num_counters) != 0)
+- ret = -EFAULT;
++ sizeof(struct xt_counters) * num_counters) != 0) {
++ /* Silent error, can't fail, new table is already in place */
++ net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
++ }
+ vfree(counters);
+ xt_table_unlock(t);
+ return ret;
--- /dev/null
+From 223b02d923ecd7c84cf9780bb3686f455d279279 Mon Sep 17 00:00:00 2001
+From: Andrey Vagin <avagin@openvz.org>
+Date: Fri, 28 Mar 2014 13:54:32 +0400
+Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
+
+From: Andrey Vagin <avagin@openvz.org>
+
+commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
+
+"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
+case it can contain all extensions. Bellow you can find sizes for all
+types of extensions. Their sum is definitely bigger than 256.
+
+nf_ct_ext_types[0]->len = 24
+nf_ct_ext_types[1]->len = 32
+nf_ct_ext_types[2]->len = 24
+nf_ct_ext_types[3]->len = 32
+nf_ct_ext_types[4]->len = 152
+nf_ct_ext_types[5]->len = 2
+nf_ct_ext_types[6]->len = 16
+nf_ct_ext_types[7]->len = 8
+
+I have seen "len" up to 280 and my host has crashes w/o this patch.
+
+The right way to fix this problem is reducing the size of the ecache
+extension (4) and Florian is going to do this, but these changes will
+be quite large to be appropriate for a stable tree.
+
+Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrey Vagin <avagin@openvz.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_conntrack_extend.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_extend.h
++++ b/include/net/netfilter/nf_conntrack_extend.h
+@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
+ /* Extensions: optional stuff which isn't permanently in struct. */
+ struct nf_ct_ext {
+ struct rcu_head rcu;
+- u8 offset[NF_CT_EXT_NUM];
+- u8 len;
++ u16 offset[NF_CT_EXT_NUM];
++ u16 len;
+ char data[0];
+ };
+
--- /dev/null
+From a9bdd8365684810e3de804f8c51e52c26a5eccbb Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 24 Mar 2014 15:10:37 +0100
+Subject: netfilter: nf_tables: set names cannot be larger than 15 bytes
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit a9bdd8365684810e3de804f8c51e52c26a5eccbb upstream.
+
+Currently, nf_tables trims off the set name if it exceeeds 15
+bytes, so explicitly reject set names that are too large.
+
+Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1934,7 +1934,8 @@ static const struct nft_set_ops *nft_sel
+
+ static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
+ [NFTA_SET_TABLE] = { .type = NLA_STRING },
+- [NFTA_SET_NAME] = { .type = NLA_STRING },
++ [NFTA_SET_NAME] = { .type = NLA_STRING,
++ .len = IFNAMSIZ - 1 },
+ [NFTA_SET_FLAGS] = { .type = NLA_U32 },
+ [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
+ [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
pid-get-pid_t-ppid-of-task-in-init_pid_ns.patch
audit-convert-ppids-to-the-inital-pid-namespace.patch
netfilter-nf_tables-fix-nft_cmp_fast-failure-on-big-endian-for-size-4.patch
+netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch
blktrace-fix-accounting-of-partially-completed-requests.patch
+netfilter-can-t-fail-and-free-after-table-replacement.patch
+netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
