review.tizen.org Git - profile/mobile/platform/kernel/linux-3.10-sc7730.git/commit

author	Dave Jones <davej@codemonkey.org.uk>
	Wed, 20 May 2015 00:55:17 +0000 (20:55 -0400)
committer	Seung-Woo Kim <sw0312.kim@samsung.com>
	Wed, 11 Oct 2017 11:55:45 +0000 (11:55 +0000)
commit	bc924f6f997f633b831991f6f34d5e6e4e4c2556
tree	63f82812734fadc94033e7c61e730d899a348d20	tree \| snapshot
parent	14a7f5be6643a9363eace3f74b514ef6037307e2	commit \| diff

netfilter: ensure number of counters is >0 in do_replace()

commit 1086bbe97a074844188c6c988fa0b1a98c3ccbb9 upstream.

After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:

warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0

It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.

The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[sw0312.kim: cherry-pick from linux-3.10.y to apply CVE]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Iebabc62d37651a1eb8dc530c9bd90bd66d502fef

net/bridge/netfilter/ebtables.c		diff \| blob \| history
net/ipv4/netfilter/arp_tables.c		diff \| blob \| history
net/ipv4/netfilter/ip_tables.c		diff \| blob \| history
net/ipv6/netfilter/ip6_tables.c		diff \| blob \| history