From: Greg Kroah-Hartman Date: Mon, 25 Feb 2019 16:37:00 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.9.161~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e4aaabd0312b29f7ef6f7a4e96c9d9fc58d01677;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-avoid-false-positives-in-untrusted-gso-validation.patch net-validate-untrusted-gso-packets-without-csum-offload.patch netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch netfilter-nft_compat-use-after-free-when-deleting-targets.patch revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch --- diff --git a/queue-4.14/net-avoid-false-positives-in-untrusted-gso-validation.patch b/queue-4.14/net-avoid-false-positives-in-untrusted-gso-validation.patch new file mode 100644 index 00000000000..547168994eb --- /dev/null +++ b/queue-4.14/net-avoid-false-positives-in-untrusted-gso-validation.patch @@ -0,0 +1,54 @@ +From 9e8db5913264d3967b93c765a6a9e464d9c473db Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Mon, 18 Feb 2019 23:37:12 -0500 +Subject: net: avoid false positives in untrusted gso validation + +From: Willem de Bruijn + +commit 9e8db5913264d3967b93c765a6a9e464d9c473db upstream. + +GSO packets with vnet_hdr must conform to a small set of gso_types. +The below commit uses flow dissection to drop packets that do not. + +But it has false positives when the skb is not fully initialized. +Dissection needs skb->protocol and skb->network_header. + +Infer skb->protocol from gso_type as the two must agree. +SKB_GSO_UDP can use both ipv4 and ipv6, so try both. + +Exclude callers for which network header offset is not known. + +Fixes: d5be7f632bad ("net: validate untrusted gso packets without csum offload") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/virtio_net.h | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -61,10 +61,20 @@ static inline int virtio_net_hdr_to_skb( + /* gso packets without NEEDS_CSUM do not set transport_offset. + * probe and drop if does not match one of the above types. + */ +- if (gso_type) { ++ if (gso_type && skb->network_header) { ++ if (!skb->protocol) ++ virtio_net_hdr_set_proto(skb, hdr); ++retry: + skb_probe_transport_header(skb, -1); +- if (!skb_transport_header_was_set(skb)) ++ if (!skb_transport_header_was_set(skb)) { ++ /* UFO does not specify ipv4 or 6: try both */ ++ if (gso_type & SKB_GSO_UDP && ++ skb->protocol == htons(ETH_P_IP)) { ++ skb->protocol = htons(ETH_P_IPV6); ++ goto retry; ++ } + return -EINVAL; ++ } + } + } + diff --git a/queue-4.14/net-validate-untrusted-gso-packets-without-csum-offload.patch b/queue-4.14/net-validate-untrusted-gso-packets-without-csum-offload.patch new file mode 100644 index 00000000000..44d14e8d8d3 --- /dev/null +++ b/queue-4.14/net-validate-untrusted-gso-packets-without-csum-offload.patch @@ -0,0 +1,65 @@ +From d5be7f632bad0f489879eed0ff4b99bd7fe0b74c Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Fri, 15 Feb 2019 12:15:47 -0500 +Subject: net: validate untrusted gso packets without csum offload + +From: Willem de Bruijn + +commit d5be7f632bad0f489879eed0ff4b99bd7fe0b74c upstream. + +Syzkaller again found a path to a kernel crash through bad gso input. +By building an excessively large packet to cause an skb field to wrap. + +If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in +skb_partial_csum_set. + +GSO packets that do not set checksum offload are suspicious and rare. +Most callers of virtio_net_hdr_to_skb already pass them to +skb_probe_transport_header. + +Move that test forward, change it to detect parse failure and drop +packets on failure as those cleary are not one of the legitimate +VIRTIO_NET_HDR_GSO types. + +Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") +Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr") +Reported-by: syzbot +Signed-off-by: Willem de Bruijn +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/skbuff.h | 2 +- + include/linux/virtio_net.h | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2377,7 +2377,7 @@ static inline void skb_probe_transport_h + return; + else if (skb_flow_dissect_flow_keys(skb, &keys, 0)) + skb_set_transport_header(skb, keys.control.thoff); +- else ++ else if (offset_hint >= 0) + skb_set_transport_header(skb, offset_hint); + } + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -57,6 +57,15 @@ static inline int virtio_net_hdr_to_skb( + + if (!skb_partial_csum_set(skb, start, off)) + return -EINVAL; ++ } else { ++ /* gso packets without NEEDS_CSUM do not set transport_offset. ++ * probe and drop if does not match one of the above types. ++ */ ++ if (gso_type) { ++ skb_probe_transport_header(skb, -1); ++ if (!skb_transport_header_was_set(skb)) ++ return -EINVAL; ++ } + } + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { diff --git a/queue-4.14/netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch b/queue-4.14/netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch new file mode 100644 index 00000000000..199b91c5b60 --- /dev/null +++ b/queue-4.14/netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch @@ -0,0 +1,45 @@ +From 15df03c661cb362366ecfc3a21820cb934f3e4ca Mon Sep 17 00:00:00 2001 +From: Eli Cooper +Date: Mon, 21 Jan 2019 18:45:27 +0800 +Subject: netfilter: ipv6: Don't preserve original oif for loopback address + +From: Eli Cooper + +commit 15df03c661cb362366ecfc3a21820cb934f3e4ca upstream. + +Commit 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic +original oif") made ip6_route_me_harder() keep the original oif for +link-local and multicast packets. However, it also affected packets +for the loopback address because it used rt6_need_strict(). + +REDIRECT rules in the OUTPUT chain rewrite the destination to loopback +address; thus its oif should not be preserved. This commit fixes the bug +that redirected local packets are being dropped. Actually the packet was +not exactly dropped; Instead it was sent out to the original oif rather +than lo. When a packet with daddr ::1 is sent to the router, it is +effectively dropped. + +Fixes: 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic original oif") +Signed-off-by: Eli Cooper +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/netfilter.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -24,9 +24,11 @@ int ip6_route_me_harder(struct net *net, + struct sock *sk = sk_to_full_sk(skb->sk); + unsigned int hh_len; + struct dst_entry *dst; ++ int strict = (ipv6_addr_type(&iph->daddr) & ++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); + struct flowi6 fl6 = { + .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if : +- rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0, ++ strict ? skb_dst(skb)->dev->ifindex : 0, + .flowi6_mark = skb->mark, + .flowi6_uid = sock_net_uid(net, sk), + .daddr = iph->daddr, diff --git a/queue-4.14/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch b/queue-4.14/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch new file mode 100644 index 00000000000..cc755c33ce3 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch @@ -0,0 +1,35 @@ +From 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 15 Feb 2019 12:50:24 +0100 +Subject: netfilter: nf_tables: fix flush after rule deletion in the same batch + +From: Pablo Neira Ayuso + +commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream. + +Flush after rule deletion bogusly hits -ENOENT. Skip rules that have +been already from nft_delrule_by_chain() which is always called from the +flush path. + +Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table") +Reported-by: Phil Sutter +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -304,6 +304,9 @@ static int nft_delrule_by_chain(struct n + int err; + + list_for_each_entry(rule, &ctx->chain->rules, list) { ++ if (!nft_is_active_next(ctx->net, rule)) ++ continue; ++ + err = nft_delrule(ctx, rule); + if (err < 0) + return err; diff --git a/queue-4.14/netfilter-nft_compat-use-after-free-when-deleting-targets.patch b/queue-4.14/netfilter-nft_compat-use-after-free-when-deleting-targets.patch new file mode 100644 index 00000000000..ca9668d7fda --- /dev/null +++ b/queue-4.14/netfilter-nft_compat-use-after-free-when-deleting-targets.patch @@ -0,0 +1,39 @@ +From 753c111f655e38bbd52fc01321266633f022ebe2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 13 Feb 2019 13:03:53 +0100 +Subject: netfilter: nft_compat: use-after-free when deleting targets + +From: Pablo Neira Ayuso + +commit 753c111f655e38bbd52fc01321266633f022ebe2 upstream. + +Fetch pointer to module before target object is released. + +Fixes: 29e3880109e3 ("netfilter: nf_tables: fix use-after-free when deleting compat expressions") +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_compat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -277,6 +277,7 @@ nft_target_destroy(const struct nft_ctx + { + struct xt_target *target = expr->ops->data; + void *info = nft_expr_priv(expr); ++ struct module *me = target->me; + struct xt_tgdtor_param par; + + par.net = ctx->net; +@@ -287,7 +288,7 @@ nft_target_destroy(const struct nft_ctx + par.target->destroy(&par); + + if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) +- module_put(target->me); ++ module_put(me); + } + + static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr) diff --git a/queue-4.14/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch b/queue-4.14/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch new file mode 100644 index 00000000000..fd5e1832da7 --- /dev/null +++ b/queue-4.14/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch @@ -0,0 +1,56 @@ +From 278e2148c07559dd4ad8602f22366d61eb2ee7b7 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Fri, 22 Feb 2019 21:22:32 +0800 +Subject: Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream. + +This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list +when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net: +bridge: remove ipv6 zero address check in mcast queries") + +The reason is RFC 4541 is not a standard but suggestive. Currently we +will elect 0.0.0.0 as Querier if there is no ip address configured on +bridge. If we do not add the port which recives query with source +0.0.0.0 to router list, the IGMP reports will not be about to forward +to Querier, IGMP data will also not be able to forward to dest. + +As Nikolay suggested, revert this change first and add a boolopt api +to disable none-zero election in future if needed. + +Reported-by: Linus Lüssing +Reported-by: Sebastian Gottschall +Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0") +Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries") +Signed-off-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_multicast.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1390,14 +1390,7 @@ static void br_multicast_query_received( + return; + + br_multicast_update_query_timer(br, query, max_delay); +- +- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, +- * the arrival port for IGMP Queries where the source address +- * is 0.0.0.0 should not be added to router port list. +- */ +- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || +- saddr->proto == htons(ETH_P_IPV6)) +- br_multicast_mark_router(br, port); ++ br_multicast_mark_router(br, port); + } + + static int br_ip4_multicast_query(struct net_bridge *br, diff --git a/queue-4.14/series b/queue-4.14/series index 732ce6de98e..0af3e853281 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -60,3 +60,9 @@ arcv2-enable-unaligned-access-in-early-asm-code.patch arc-u-boot-check-arguments-paranoidly.patch arc-define-arch_slab_minalign-8.patch drm-i915-fbdev-actually-configure-untiled-displays.patch +net-validate-untrusted-gso-packets-without-csum-offload.patch +net-avoid-false-positives-in-untrusted-gso-validation.patch +revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch +netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch +netfilter-nft_compat-use-after-free-when-deleting-targets.patch +netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch