release/5.2.36/netfilter-conntrack-dccp-sctp-handle-null-timeout-ar.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 27bf0fe46d2219dcd836bc7bf084133a1f83730f Mon Sep 17 00:00:00 2001
 From: Florian Westphal <fw@strlen.de>
 Date: Mon, 6 Jan 2020 23:34:17 +0100
 Subject: [PATCH] netfilter: conntrack: dccp, sctp: handle null timeout
  argument

 commit 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 upstream.

 The timeout pointer can be NULL which means we should modify the
 per-nets timeout instead.

 All do this, except sctp and dccp which instead give:

 general protection fault: 0000 [#1] PREEMPT SMP KASAN
 net/netfilter/nf_conntrack_proto_dccp.c:682
  ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67
  cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368
  nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
  netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477

 Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com
 Fixes: c779e849608a8 ("netfilter: conntrack: remove get_timeout() indirection")
 Signed-off-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
 index b6b14db3955b..b3f4a334f9d7 100644
 --- a/net/netfilter/nf_conntrack_proto_dccp.c
 +++ b/net/netfilter/nf_conntrack_proto_dccp.c
 @@ -677,6 +677,9 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
  	unsigned int *timeouts = data;
  	int i;

 +	if (!timeouts)
 +		 timeouts = dn->dccp_timeout;
 +
  	/* set default DCCP timeouts. */
  	for (i=0; i<CT_DCCP_MAX; i++)
  		timeouts[i] = dn->dccp_timeout[i];
 diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
 index 522c08c23600..d4e927c1b943 100644
 --- a/net/netfilter/nf_conntrack_proto_sctp.c
 +++ b/net/netfilter/nf_conntrack_proto_sctp.c
 @@ -594,6 +594,9 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
  	struct nf_sctp_net *sn = nf_sctp_pernet(net);
  	int i;

 +	if (!timeouts)
 +		timeouts = sn->timeouts;
 +
  	/* set default SCTP timeouts. */
  	for (i=0; i<SCTP_CONNTRACK_MAX; i++)
  		timeouts[i] = sn->timeouts[i];
 --
 2.7.4
	From 27bf0fe46d2219dcd836bc7bf084133a1f83730f Mon Sep 17 00:00:00 2001
	From: Florian Westphal <fw@strlen.de>
	Date: Mon, 6 Jan 2020 23:34:17 +0100
	Subject: [PATCH] netfilter: conntrack: dccp, sctp: handle null timeout
	argument

	commit 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 upstream.

	The timeout pointer can be NULL which means we should modify the
	per-nets timeout instead.

	All do this, except sctp and dccp which instead give:

	general protection fault: 0000 [#1] PREEMPT SMP KASAN
	net/netfilter/nf_conntrack_proto_dccp.c:682
	ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67
	cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368
	nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
	netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477

	Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com
	Fixes: c779e849608a8 ("netfilter: conntrack: remove get_timeout() indirection")
	Signed-off-by: Florian Westphal <fw@strlen.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
	index b6b14db3955b..b3f4a334f9d7 100644
	--- a/net/netfilter/nf_conntrack_proto_dccp.c
	+++ b/net/netfilter/nf_conntrack_proto_dccp.c
	@@ -677,6 +677,9 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
	unsigned int *timeouts = data;
	int i;

	+ if (!timeouts)
	+ timeouts = dn->dccp_timeout;
	+
	/* set default DCCP timeouts. */
	for (i=0; i<CT_DCCP_MAX; i++)
	timeouts[i] = dn->dccp_timeout[i];
	diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
	index 522c08c23600..d4e927c1b943 100644
	--- a/net/netfilter/nf_conntrack_proto_sctp.c
	+++ b/net/netfilter/nf_conntrack_proto_sctp.c
	@@ -594,6 +594,9 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
	struct nf_sctp_net *sn = nf_sctp_pernet(net);
	int i;

	+ if (!timeouts)
	+ timeouts = sn->timeouts;
	+
	/* set default SCTP timeouts. */
	for (i=0; i<SCTP_CONNTRACK_MAX; i++)
	timeouts[i] = sn->timeouts[i];
	--
	2.7.4