diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-06-24 19:23:42 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-06-24 19:23:42 +0200 |
commit | cd9064be9b44da6a5a8591f1a0109e85a106411b (patch) | |
tree | 1ece29e2948d4dd6947d6c43850c9968f3fdaa43 | |
parent | b380ab5d76a8144ab99c9aa9c0c1970edd43c82c (diff) | |
parent | a96f4ac8d92ccfbc3e3c89baf978e90bd3e3012f (diff) | |
download | kernel-cd9064be9b44da6a5a8591f1a0109e85a106411b.tar.gz kernel-cd9064be9b44da6a5a8591f1a0109e85a106411b.tar.xz kernel-cd9064be9b44da6a5a8591f1a0109e85a106411b.zip |
Merge remote-tracking branch 'origin/f25' into f25-user-thl-vanilla-fedora
-rw-r--r-- | 0001-netfilter-xtables-zero-padding-in-data_to_user.patch | 116 | ||||
-rw-r--r-- | 0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch | 92 | ||||
-rw-r--r-- | kernel.spec | 8 |
3 files changed, 216 insertions, 0 deletions
diff --git a/0001-netfilter-xtables-zero-padding-in-data_to_user.patch b/0001-netfilter-xtables-zero-padding-in-data_to_user.patch new file mode 100644 index 000000000..b23e387a6 --- /dev/null +++ b/0001-netfilter-xtables-zero-padding-in-data_to_user.patch @@ -0,0 +1,116 @@ +From b1a27013a72d5744be6510c05b86e1b9dd605012 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Tue, 9 May 2017 16:17:37 -0400 +Subject: [PATCH 1/2] netfilter: xtables: zero padding in data_to_user + +When looking up an iptables rule, the iptables binary compares the +aligned match and target data (XT_ALIGN). In some cases this can +exceed the actual data size to include padding bytes. + +Before commit f77bc5b23fb1 ("iptables: use match, target and data +copy_to_user helpers") the malloc()ed bytes were overwritten by the +kernel with kzalloced contents, zeroing the padding and making the +comparison succeed. After this patch, the kernel copies and clears +only data, leaving the padding bytes undefined. + +Extend the clear operation from data size to aligned data size to +include the padding bytes, if any. + +Padding bytes can be observed in both match and target, and the bug +triggered, by issuing a rule with match icmp and target ACCEPT: + + iptables -t mangle -A INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT + iptables -t mangle -D INPUT -i lo -p icmp --icmp-type 1 -j ACCEPT + +Fixes: f77bc5b23fb1 ("iptables: use match, target and data copy_to_user helpers") +Reported-by: Paul Moore <pmoore@redhat.com> +Reported-by: Richard Guy Briggs <rgb@redhat.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + include/linux/netfilter/x_tables.h | 2 +- + net/bridge/netfilter/ebtables.c | 9 ++++++--- + net/netfilter/x_tables.c | 9 ++++++--- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +index be378cf..b3044c2c 100644 +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -294,7 +294,7 @@ int xt_match_to_user(const struct xt_entry_match *m, + int xt_target_to_user(const struct xt_entry_target *t, + struct xt_entry_target __user *u); + int xt_data_to_user(void __user *dst, const void *src, +- int usersize, int size); ++ int usersize, int size, int aligned_size); + + void *xt_copy_counters_from_user(const void __user *user, unsigned int len, + struct xt_counters_info *info, bool compat); +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 79b6991..656c259 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1358,7 +1358,8 @@ static inline int ebt_obj_to_user(char __user *um, const char *_name, + strlcpy(name, _name, sizeof(name)); + if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) || + put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) || +- xt_data_to_user(um + entrysize, data, usersize, datasize)) ++ xt_data_to_user(um + entrysize, data, usersize, datasize, ++ XT_ALIGN(datasize))) + return -EFAULT; + + return 0; +@@ -1643,7 +1644,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr, + if (match->compat_to_user(cm->data, m->data)) + return -EFAULT; + } else { +- if (xt_data_to_user(cm->data, m->data, match->usersize, msize)) ++ if (xt_data_to_user(cm->data, m->data, match->usersize, msize, ++ COMPAT_XT_ALIGN(msize))) + return -EFAULT; + } + +@@ -1672,7 +1674,8 @@ static int compat_target_to_user(struct ebt_entry_target *t, + if (target->compat_to_user(cm->data, t->data)) + return -EFAULT; + } else { +- if (xt_data_to_user(cm->data, t->data, target->usersize, tsize)) ++ if (xt_data_to_user(cm->data, t->data, target->usersize, tsize, ++ COMPAT_XT_ALIGN(tsize))) + return -EFAULT; + } + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 14857af..afb02fd 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -283,12 +283,13 @@ static int xt_obj_to_user(u16 __user *psize, u16 size, + &U->u.user.revision, K->u.kernel.TYPE->revision) + + int xt_data_to_user(void __user *dst, const void *src, +- int usersize, int size) ++ int usersize, int size, int aligned_size) + { + usersize = usersize ? : size; + if (copy_to_user(dst, src, usersize)) + return -EFAULT; +- if (usersize != size && clear_user(dst + usersize, size - usersize)) ++ if (usersize != aligned_size && ++ clear_user(dst + usersize, aligned_size - usersize)) + return -EFAULT; + + return 0; +@@ -298,7 +299,9 @@ EXPORT_SYMBOL_GPL(xt_data_to_user); + #define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \ + xt_data_to_user(U->data, K->data, \ + K->u.kernel.TYPE->usersize, \ +- C_SIZE ? : K->u.kernel.TYPE->TYPE##size) ++ C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \ ++ C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \ ++ XT_ALIGN(K->u.kernel.TYPE->TYPE##size)) + + int xt_match_to_user(const struct xt_entry_match *m, + struct xt_entry_match __user *u) +-- +2.7.5 + diff --git a/0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch b/0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch new file mode 100644 index 000000000..7786bf9d8 --- /dev/null +++ b/0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch @@ -0,0 +1,92 @@ +From d6b664f7f350dafd604fd014de20ea8e0f25b3b3 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Wed, 17 May 2017 11:24:47 -0400 +Subject: [PATCH 2/2] netfilter: xtables: fix build failure from + COMPAT_XT_ALIGN outside CONFIG_COMPAT + +The patch in the Fixes references COMPAT_XT_ALIGN in the definition +of XT_DATA_TO_USER, outside an #ifdef CONFIG_COMPAT block. + +Split XT_DATA_TO_USER into separate compat and non compat variants and +define the first inside an CONFIG_COMPAT block. + +This simplifies both variants by removing branches inside the macro. + +Fixes: 324318f0248c ("netfilter: xtables: zero padding in data_to_user") +Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/netfilter/x_tables.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index afb02fd..32488c0 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -296,18 +296,17 @@ int xt_data_to_user(void __user *dst, const void *src, + } + EXPORT_SYMBOL_GPL(xt_data_to_user); + +-#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \ ++#define XT_DATA_TO_USER(U, K, TYPE) \ + xt_data_to_user(U->data, K->data, \ + K->u.kernel.TYPE->usersize, \ +- C_SIZE ? : K->u.kernel.TYPE->TYPE##size, \ +- C_SIZE ? COMPAT_XT_ALIGN(C_SIZE) : \ +- XT_ALIGN(K->u.kernel.TYPE->TYPE##size)) ++ K->u.kernel.TYPE->TYPE##size, \ ++ XT_ALIGN(K->u.kernel.TYPE->TYPE##size)) + + int xt_match_to_user(const struct xt_entry_match *m, + struct xt_entry_match __user *u) + { + return XT_OBJ_TO_USER(u, m, match, 0) || +- XT_DATA_TO_USER(u, m, match, 0); ++ XT_DATA_TO_USER(u, m, match); + } + EXPORT_SYMBOL_GPL(xt_match_to_user); + +@@ -315,7 +314,7 @@ int xt_target_to_user(const struct xt_entry_target *t, + struct xt_entry_target __user *u) + { + return XT_OBJ_TO_USER(u, t, target, 0) || +- XT_DATA_TO_USER(u, t, target, 0); ++ XT_DATA_TO_USER(u, t, target); + } + EXPORT_SYMBOL_GPL(xt_target_to_user); + +@@ -614,6 +613,12 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + } + EXPORT_SYMBOL_GPL(xt_compat_match_from_user); + ++#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE) \ ++ xt_data_to_user(U->data, K->data, \ ++ K->u.kernel.TYPE->usersize, \ ++ C_SIZE, \ ++ COMPAT_XT_ALIGN(C_SIZE)) ++ + int xt_compat_match_to_user(const struct xt_entry_match *m, + void __user **dstptr, unsigned int *size) + { +@@ -629,7 +634,7 @@ int xt_compat_match_to_user(const struct xt_entry_match *m, + if (match->compat_to_user((void __user *)cm->data, m->data)) + return -EFAULT; + } else { +- if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm))) ++ if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm))) + return -EFAULT; + } + +@@ -984,7 +989,7 @@ int xt_compat_target_to_user(const struct xt_entry_target *t, + if (target->compat_to_user((void __user *)ct->data, t->data)) + return -EFAULT; + } else { +- if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct))) ++ if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct))) + return -EFAULT; + } + +-- +2.7.5 + diff --git a/kernel.spec b/kernel.spec index b32e0aa49..d6c33f29f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -656,6 +656,11 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch Patch684: mm-larger-stack-guard-gap-between-vmas.patch Patch685: mm-fix-new-crash-in-unmapped_area_topdown.patch +# rhbz 1459676 +Patch686: 0001-netfilter-xtables-zero-padding-in-data_to_user.patch +Patch687: 0002-netfilter-xtables-fix-build-failure-from-COMPAT_XT_A.patch + + # END OF PATCH DEFINITIONS %endif @@ -2223,6 +2228,9 @@ fi # # %changelog +* Tue Jun 20 2017 Laura Abbott <labbott@fedoraproject.org> +- Add fix for iptables (rhbz 1459676) + * Tue Jun 20 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.6-201 - bump and build |