linux/net/netfilter, branch v4.6

nf_conntrack: avoid kernel pointer value leak in slab name

2016-05-14T19:04:43Z

The slab name ends up being visible in the directory structure under /sys, and even if you don't have access rights to the file you can see the filenames. Just use a 64-bit counter instead of the pointer to the 'net' structure to generate a unique name. This code will go away in 4.7 when the conntrack code moves to a single kmemcache, but this is the backportable simple solution to avoiding leaking kernel pointers to user space. Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep") Signed-off-by: Linus Torvalds Acked-by: Eric Dumazet Cc: stable@vger.kernel.org Signed-off-by: David S. Miller

netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

2016-05-05T14:47:08Z

If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is required to trigger the bug. Signed-off-by: Phil Turnbull Signed-off-by: Pablo Neira Ayuso

netfilter: IDLETIMER: fix race condition when destroy the target

2016-04-29T12:28:48Z

Workqueue maybe still in running while we destroy the IDLETIMER target, thus cause a use after free error, add cancel_work_sync() to avoid such situation. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso

netfilter: conntrack: init all_locks to avoid debug warning

2016-04-29T09:27:10Z

Else we get 'BUG: spinlock bad magic on CPU#' on resize when spin lock debugging is enabled. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options

2016-04-07T16:42:37Z

Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that the TCP option parsing routines in netfilter TCP connection tracking could read one byte out of the buffer of the TCP options. Therefore in the patch we check that the available data length is large enough to parse both TCP option code and size. Reported-by: Baozeng Ding Tested-by: Baozeng Ding Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink_queue: honor NFQA_CFG_F_FAIL_OPEN when netlink unicast fails

2016-03-28T15:59:20Z

When netlink unicast fails to deliver the message to userspace, we should also check if the NFQA_CFG_F_FAIL_OPEN flag is set so we reinject the packet back to the stack. I think the user expects no packet drops when this flag is set due to queueing to userspace errors, no matter if related to the internal queue or when sending the netlink message to userspace. The userspace application will still get the ENOBUFS error via recvmsg() so the user still knows that, with the current configuration that is in place, the userspace application is not consuming the messages at the pace that the kernel needs. Reported-by: "Yigal Reiss (yreiss)" Signed-off-by: Pablo Neira Ayuso Tested-by: "Yigal Reiss (yreiss)"

netfilter: ipset: fix race condition in ipset save, swap and delete

2016-03-28T15:57:45Z

This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt Signed-off-by: Vishwanath Pai Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso

netfilter: nf_conntrack: consolidate lock/unlock into unlock_wait

2016-03-15T00:10:42Z

The spin_lock()/spin_unlock() is synchronizing on the nf_conntrack_locks_all_lock which is equivalent to spin_unlock_wait() but the later should be more efficient. Signed-off-by: Nicholas Mc Guire Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: check for size overflow

2016-03-12T10:55:01Z

Ben Hawkes says: integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. Reported-by: Ben Hawkes Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: nft_compat: check match/targetinfo attr size

2016-03-11T10:37:56Z

We copy according to ->target|matchsize, so check that the netlink attribute (which can include padding and might be larger) contains enough data. Reported-by: Julia Lawall Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso