release/5.2.37/netfilter-nf_tables-remove-WARN-and-add-NLA_STRING-u.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From ed340a70fdb14996e30ca0b3441c16980356b012 Mon Sep 17 00:00:00 2001
 From: Florian Westphal <fw@strlen.de>
 Date: Thu, 16 Jan 2020 09:06:50 +0100
 Subject: [PATCH] netfilter: nf_tables: remove WARN and add NLA_STRING upper
  limits

 commit 9332d27d7918182add34e8043f6a754530fdd022 upstream.

 This WARN can trigger because some of the names fed to the module
 autoload function can be of arbitrary length.

 Remove the WARN and add limits for all NLA_STRING attributes.

 Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com
 Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload")
 Signed-off-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
 index f30eb3e0b880..7653a235f8df 100644
 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
 @@ -21,6 +21,8 @@
  #include <net/net_namespace.h>
  #include <net/sock.h>

 +#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
 +
  static LIST_HEAD(nf_tables_expressions);
  static LIST_HEAD(nf_tables_objects);
  static LIST_HEAD(nf_tables_flowtables);
 @@ -519,7 +521,7 @@ static void nft_request_module(struct net *net, const char *fmt, ...)
  	va_start(args, fmt);
  	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
  	va_end(args);
 -	if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
 +	if (ret >= MODULE_NAME_LEN)
  		return;

  	mutex_unlock(&net->nft.commit_mutex);
 @@ -1172,7 +1174,8 @@ static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
  				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
  	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
  	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
 -	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING },
 +	[NFTA_CHAIN_TYPE]	= { .type = NLA_STRING,
 +				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
  	[NFTA_CHAIN_COUNTERS]	= { .type = NLA_NESTED },
  };

 @@ -2062,7 +2065,8 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net,
  }

  static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
 -	[NFTA_EXPR_NAME]	= { .type = NLA_STRING },
 +	[NFTA_EXPR_NAME]	= { .type = NLA_STRING,
 +				    .len = NFT_MODULE_AUTOLOAD_LIMIT },
  	[NFTA_EXPR_DATA]	= { .type = NLA_NESTED },
  };

 @@ -3888,7 +3892,8 @@ static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
  	[NFTA_SET_ELEM_USERDATA]	= { .type = NLA_BINARY,
  					    .len = NFT_USERDATA_MAXLEN },
  	[NFTA_SET_ELEM_EXPR]		= { .type = NLA_NESTED },
 -	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING },
 +	[NFTA_SET_ELEM_OBJREF]		= { .type = NLA_STRING,
 +					    .len = NFT_OBJ_MAXNAMELEN - 1 },
  };

  static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
 --
 2.7.4
	From ed340a70fdb14996e30ca0b3441c16980356b012 Mon Sep 17 00:00:00 2001
	From: Florian Westphal <fw@strlen.de>
	Date: Thu, 16 Jan 2020 09:06:50 +0100
	Subject: [PATCH] netfilter: nf_tables: remove WARN and add NLA_STRING upper
	limits

	commit 9332d27d7918182add34e8043f6a754530fdd022 upstream.

	This WARN can trigger because some of the names fed to the module
	autoload function can be of arbitrary length.

	Remove the WARN and add limits for all NLA_STRING attributes.

	Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com
	Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload")
	Signed-off-by: Florian Westphal <fw@strlen.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
	index f30eb3e0b880..7653a235f8df 100644
	--- a/net/netfilter/nf_tables_api.c
	+++ b/net/netfilter/nf_tables_api.c
	@@ -21,6 +21,8 @@
	#include <net/net_namespace.h>
	#include <net/sock.h>

	+#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
	+
	static LIST_HEAD(nf_tables_expressions);
	static LIST_HEAD(nf_tables_objects);
	static LIST_HEAD(nf_tables_flowtables);
	@@ -519,7 +521,7 @@ static void nft_request_module(struct net net, const char fmt, ...)
	va_start(args, fmt);
	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
	va_end(args);
	- if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
	+ if (ret >= MODULE_NAME_LEN)
	return;

	mutex_unlock(&net->nft.commit_mutex);
	@@ -1172,7 +1174,8 @@ static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
	.len = NFT_CHAIN_MAXNAMELEN - 1 },
	[NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
	[NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
	- [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
	+ [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
	+ .len = NFT_MODULE_AUTOLOAD_LIMIT },
	[NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
	};

	@@ -2062,7 +2065,8 @@ static const struct nft_expr_type nft_expr_type_get(struct net net,
	}

	static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
	- [NFTA_EXPR_NAME] = { .type = NLA_STRING },
	+ [NFTA_EXPR_NAME] = { .type = NLA_STRING,
	+ .len = NFT_MODULE_AUTOLOAD_LIMIT },
	[NFTA_EXPR_DATA] = { .type = NLA_NESTED },
	};

	@@ -3888,7 +3892,8 @@ static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
	[NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
	.len = NFT_USERDATA_MAXLEN },
	[NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
	- [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
	+ [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
	+ .len = NFT_OBJ_MAXNAMELEN - 1 },
	};

	static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
	--
	2.7.4