| From foo@baz Thu Aug 24 17:49:47 PDT 2017 |
| From: Xin Long <lucien.xin@gmail.com> |
| Date: Fri, 18 Aug 2017 11:01:36 +0800 |
| Subject: net: sched: fix NULL pointer dereference when action calls some targets |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| |
| [ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ] |
| |
| As we know in some target's checkentry it may dereference par.entryinfo |
| to check entry stuff inside. But when sched action calls xt_check_target, |
| par.entryinfo is set with NULL. It would cause kernel panic when calling |
| some targets. |
| |
| It can be reproduce with: |
| # tc qd add dev eth1 ingress handle ffff: |
| # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \ |
| -j ECN --ecn-tcp-remove |
| |
| It could also crash kernel when using target CLUSTERIP or TPROXY. |
| |
| By now there's no proper value for par.entryinfo in ipt_init_target, |
| but it can not be set with NULL. This patch is to void all these |
| panics by setting it with an ipt_entry obj with all members = 0. |
| |
| Note that this issue has been there since the very beginning. |
| |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sched/act_ipt.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/net/sched/act_ipt.c |
| +++ b/net/sched/act_ipt.c |
| @@ -34,6 +34,7 @@ static int ipt_init_target(struct xt_ent |
| { |
| struct xt_tgchk_param par; |
| struct xt_target *target; |
| + struct ipt_entry e = {}; |
| int ret = 0; |
| |
| target = xt_request_find_target(AF_INET, t->u.user.name, |
| @@ -44,6 +45,7 @@ static int ipt_init_target(struct xt_ent |
| t->u.kernel.target = target; |
| memset(&par, 0, sizeof(par)); |
| par.table = table; |
| + par.entryinfo = &e; |
| par.target = target; |
| par.targinfo = t->data; |
| par.hook_mask = hook; |