releases/4.4.166/netfilter-nf_tables-fix-oops-when-inserting-an-element-into-a-verdict-map.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf Mon Sep 17 00:00:00 2001
 From: Liping Zhang <zlpnobody@gmail.com>
 Date: Sun, 6 Nov 2016 14:40:01 +0800
 Subject: netfilter: nf_tables: fix oops when inserting an element into a verdict map

 From: Liping Zhang <zlpnobody@gmail.com>

 commit 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf upstream.

 Dalegaard says:
  The following ruleset, when loaded with 'nft -f bad.txt'
  ----snip----
  flush ruleset
  table ip inlinenat {
    map sourcemap {
      type ipv4_addr : verdict;
    }

    chain postrouting {
      ip saddr vmap @sourcemap accept
    }
  }
  add chain inlinenat test
  add element inlinenat sourcemap { 100.123.10.2 : jump test }
  ----snip----

  results in a kernel oops:
  BUG: unable to handle kernel paging request at 0000000000001344
  IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
  [...]
  Call Trace:
   [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
   [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
   [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
   [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
   [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
   [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
   [<ffffffff8132c400>] ? nla_validate+0x60/0x80
   [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]

 Because we forget to fill the net pointer in bind_ctx, so dereferencing
 it may cause kernel crash.

 Reported-by: Dalegaard <dalegaard@gmail.com>
 Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/netfilter/nf_tables_api.c |    1 +
  1 file changed, 1 insertion(+)

 --- a/net/netfilter/nf_tables_api.c
 +++ b/net/netfilter/nf_tables_api.c
 @@ -3452,6 +3452,7 @@ static int nft_add_set_elem(struct nft_c
  		dreg = nft_type_to_reg(set->dtype);
  		list_for_each_entry(binding, &set->bindings, list) {
  			struct nft_ctx bind_ctx = {
 +				.net	= ctx->net,
  				.afi	= ctx->afi,
  				.table	= ctx->table,
  				.chain	= (struct nft_chain *)binding->chain,
	From 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf Mon Sep 17 00:00:00 2001
	From: Liping Zhang <zlpnobody@gmail.com>
	Date: Sun, 6 Nov 2016 14:40:01 +0800
	Subject: netfilter: nf_tables: fix oops when inserting an element into a verdict map

	From: Liping Zhang <zlpnobody@gmail.com>

	commit 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf upstream.

	Dalegaard says:
	The following ruleset, when loaded with 'nft -f bad.txt'
	----snip----
	flush ruleset
	table ip inlinenat {
	map sourcemap {
	type ipv4_addr : verdict;
	}

	chain postrouting {
	ip saddr vmap @sourcemap accept
	}
	}
	add chain inlinenat test
	add element inlinenat sourcemap { 100.123.10.2 : jump test }
	----snip----

	results in a kernel oops:
	BUG: unable to handle kernel paging request at 0000000000001344
	IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
	[...]
	Call Trace:
	[<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
	[<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
	[<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
	[<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
	[<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
	[<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
	[<ffffffff8132c400>] ? nla_validate+0x60/0x80
	[<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]

	Because we forget to fill the net pointer in bind_ctx, so dereferencing
	it may cause kernel crash.

	Reported-by: Dalegaard <dalegaard@gmail.com>
	Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/netfilter/nf_tables_api.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/net/netfilter/nf_tables_api.c
	+++ b/net/netfilter/nf_tables_api.c
	@@ -3452,6 +3452,7 @@ static int nft_add_set_elem(struct nft_c
	dreg = nft_type_to_reg(set->dtype);
	list_for_each_entry(binding, &set->bindings, list) {
	struct nft_ctx bind_ctx = {
	+ .net = ctx->net,
	.afi = ctx->afi,
	.table = ctx->table,
	.chain = (struct nft_chain *)binding->chain,