Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedora

3 files changed, 216 insertions, 0 deletions

diff --git a/0001-netfilter-xtables-zero-padding-in-data_to_user.patch b/0001-netfilter-xtables-zero-padding-in-data_to_user.patch
new file mode 100644
index 000000000..b23e387a6
--- /dev/null
+++ b/0001-netfilter-xtables-zero-padding-in-data_to_user.patch
@@ -0,0 +1,116 @@
+From b1a27013a72d5744be6510c05b86e1b9dd605012 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 9 May 2017 16:17:37 -0400
+Subject: [PATCH 1/2] netfilter: xtables: zero padding in data_to_user
+
+When looking up an iptables rule, the iptables binary compares the
+aligned match and target data (XT_ALIGN). In some cases this can
+exceed the actual data size to include padding bytes.
+
+Before commit f77bc5b23fb1 ("iptables: use match, target and data
+copy_to_user helpers") the malloc()ed bytes were overwritten by the
+kernel with kzalloced contents, zeroing the padding and making the
+comparison succeed. After this patch, the kernel copies and clears
+only data, leaving the padding bytes undefined.
+
+Extend the clear operation from data size to aligned data size to
+include the padding bytes, if any.
+
+Padding bytes can be observed in both match and target, and the bug
+triggered, by issuing a rule with match icmp and target ACCEPT:
+
+  iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
+  iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT
+
+Fixes: f77bc5b23fb1 ("iptables: use match, target and data copy_to_user helpers")
+Reported-by: Paul Moore <pmoore@redhat.com>
+Reported-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/linux/netfilter/x_tables.h | 2 +-
+ net/bridge/netfilter/ebtables.c    | 9 ++++++---
+ net/netfilter/x_tables.c           | 9 ++++++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
+index be378cf..b3044c2c 100644
+--- a/include/linux/netfilter/x_tables.h
++++ b/include/linux/netfilter/x_tables.h
+@@ -294,7 +294,7 @@ int xt_match_to_user(const struct xt_entry_match *m,
+ int xt_target_to_user(const struct xt_entry_target *t,
+ 		      struct xt_entry_target __user *u);
+ int xt_data_to_user(void __user *dst, const void *src,
+-		    int usersize, int size);
++		    int usersize, int size, int aligned_size);
+ 
+ void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
+ 				 struct xt_counters_info *info, bool compat);
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 79b6991..656c259 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1358,7 +1358,8 @@ static inline int ebt_obj_to_user(char __user *um, const char *_name,
+ 	strlcpy(name, _name, sizeof(name));
+ 	if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) ||
+ 	    put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) ||
+-	    xt_data_to_user(um + entrysize, data, usersize, datasize))
++	    xt_data_to_user(um + entrysize, data, usersize, datasize,
++			    XT_ALIGN(datasize)))
+ 		return -EFAULT;
+ 
+ 	return 0;
+@@ -1643,7 +1644,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
+ 		if (match->compat_to_user(cm->data, m->data))
+ 			return -EFAULT;
+ 	} else {
+-		if (xt_data_to_user(cm->data, m->data, match->usersize, msize))
++		if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
++				    COMPAT_XT_ALIGN(msize)))
+ 			return -EFAULT;
+ 	}
+ 
+@@ -1672,7 +1674,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
+ 		if (target->compat_to_user(cm->data, t->data))
+ 			return -EFAULT;
+ 	} else {
+-		if (xt_data_to_user(cm->data, t->data, target->usersize, tsize))
++		if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
++				    COMPAT_XT_ALIGN(tsize)))
+ 			return -EFAULT;
+ 	}
+ 
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index 14857af..afb02fd 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -283,12 +283,13 @@ static int xt_obj_to_user(u16 __user *psize, u16 size,
+ 		       &U->u.user.revision, K->u.kernel.TYPE->revision)
+ 
+ int xt_data_to_user(void __user *dst, const void *src,
+-		    int usersize, int size)
++		    int usersize, int size, int aligned_size)
+ {
+ 	usersize = usersize ? : size;
+ 	if (copy_to_user(dst, src, usersize))
+ 		return -EFAULT;
+-	if (usersize != size && clear_user(dst + usersize, size - usersize))
++	if (usersize != aligned_size &&
++	    clear_user(dst + usersize, aligned_size - usersize))
+ 		return -EFAULT;
+ 
+ 	return 0;
+@@ -298,7 +299,9 @@ EXPORT_SYMBOL_GPL(xt_data_to_user);
+ #define XT_DATA_TO_USER(U, K, TYPE, C_SIZE)				\
+ 	xt_data_to_user(U->data, K->data,				\
+ 			K->u.kernel.TYPE->usersize,			\
+-			C_SIZE ? : K->u.kernel.TYPE->TYPE##size)
++			C_SIZE ? : K->u.kernel.TYPE->TYPE##size,	\
++			C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) :		\
++				 XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
+ 
+ int xt_match_to_user(const struct xt_entry_match *m,
+ 		     struct xt_entry_match __user *u)
+-- 
+2.7.5
+
diff --git a/0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch b/0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch
new file mode 100644
index 000000000..7786bf9d8
--- /dev/null
+++ b/0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch
@@ -0,0 +1,92 @@
+From d6b664f7f350dafd604fd014de20ea8e0f25b3b3 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 17 May 2017 11:24:47 -0400
+Subject: [PATCH 2/2] netfilter: xtables: fix build failure from
+ COMPAT_XT_ALIGN outside CONFIG_COMPAT
+
+The patch in the Fixes references COMPAT_XT_ALIGN in the definition
+of XT_DATA_TO_USER, outside an #ifdef CONFIG_COMPAT block.
+
+Split XT_DATA_TO_USER into separate compat and non compat variants and
+define the first inside an CONFIG_COMPAT block.
+
+This simplifies both variants by removing branches inside the macro.
+
+Fixes: 324318f0248c ("netfilter: xtables: zero padding in data_to_user")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/x_tables.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index afb02fd..32488c0 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -296,18 +296,17 @@ int xt_data_to_user(void __user *dst, const void *src,
+ }
+ EXPORT_SYMBOL_GPL(xt_data_to_user);
+ 
+-#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE)				\
++#define XT_DATA_TO_USER(U, K, TYPE)					\
+ 	xt_data_to_user(U->data, K->data,				\
+ 			K->u.kernel.TYPE->usersize,			\
+-			C_SIZE ? : K->u.kernel.TYPE->TYPE##size,	\
+-			C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) :		\
+-				 XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
++			K->u.kernel.TYPE->TYPE##size,			\
++			XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
+ 
+ int xt_match_to_user(const struct xt_entry_match *m,
+ 		     struct xt_entry_match __user *u)
+ {
+ 	return XT_OBJ_TO_USER(u, m, match, 0) ||
+-	       XT_DATA_TO_USER(u, m, match, 0);
++	       XT_DATA_TO_USER(u, m, match);
+ }
+ EXPORT_SYMBOL_GPL(xt_match_to_user);
+ 
+@@ -315,7 +314,7 @@ int xt_target_to_user(const struct xt_entry_target *t,
+ 		      struct xt_entry_target __user *u)
+ {
+ 	return XT_OBJ_TO_USER(u, t, target, 0) ||
+-	       XT_DATA_TO_USER(u, t, target, 0);
++	       XT_DATA_TO_USER(u, t, target);
+ }
+ EXPORT_SYMBOL_GPL(xt_target_to_user);
+ 
+@@ -614,6 +613,12 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
+ }
+ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
+ 
++#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE)			\
++	xt_data_to_user(U->data, K->data,				\
++			K->u.kernel.TYPE->usersize,			\
++			C_SIZE,						\
++			COMPAT_XT_ALIGN(C_SIZE))
++
+ int xt_compat_match_to_user(const struct xt_entry_match *m,
+ 			    void __user **dstptr, unsigned int *size)
+ {
+@@ -629,7 +634,7 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
+ 		if (match->compat_to_user((void __user *)cm->data, m->data))
+ 			return -EFAULT;
+ 	} else {
+-		if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
++		if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
+ 			return -EFAULT;
+ 	}
+ 
+@@ -984,7 +989,7 @@ int xt_compat_target_to_user(const struct xt_entry_target *t,
+ 		if (target->compat_to_user((void __user *)ct->data, t->data))
+ 			return -EFAULT;
+ 	} else {
+-		if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
++		if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
+ 			return -EFAULT;
+ 	}
+ 
+-- 
+2.7.5
+
diff --git a/kernel.spec b/kernel.spec
index b32e0aa49..d6c33f29f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -656,6 +656,11 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch
 Patch684: mm-larger-stack-guard-gap-between-vmas.patch
 Patch685: mm-fix-new-crash-in-unmapped_area_topdown.patch
 
+# rhbz 1459676
+Patch686: 0001-netfilter-xtables-zero-padding-in-data_to_user.patch
+Patch687: 0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch
+
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2223,6 +2228,9 @@ fi
 #
 #
 %changelog
+* Tue Jun 20 2017 Laura Abbott <labbott@fedoraproject.org>
+- Add fix for iptables (rhbz 1459676)
+
 * Tue Jun 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.6-201
 - bump and build