Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit afb14c7c authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
The following patchset contains three netfilter fixes for your net
tree, they are:

* A couple of fixes to resolve info leak to userspace due to uninitialized
  memory area in ulogd, from Mathias Krause.

* Fix instruction ordering issues that may lead to the access of
  uninitialized data in x_tables. The problem involves the table update
 (producer) and the main packet matching (consumer) routines. Detected in
  SMP ARMv7, from Will Deacon.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 320437af b416c144

net/bridge/netfilter/ebt_ulog.c

+3 −6
Original line number Diff line number Diff line
@@ -181,6 +181,7 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr, 
	ub->qlen++;



	pm = nlmsg_data(nlh);

	memset(pm, 0, sizeof(*pm));



	/* Fill in the ulog data */

	pm->version = EBT_ULOG_VERSION;
@@ -193,8 +194,6 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr, 
	pm->hook = hooknr;

	if (uloginfo->prefix != NULL)

		strcpy(pm->prefix, uloginfo->prefix);

	else

		*(pm->prefix) = '\0';



	if (in) {

		strcpy(pm->physindev, in->name);
@@ -204,16 +203,14 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr, 
			strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name);

		else

			strcpy(pm->indev, in->name);

	} else

		pm->indev[0] = pm->physindev[0] = '\0';

	}



	if (out) {

		/* If out exists, then out is a bridge port */

		strcpy(pm->physoutdev, out->name);

		/* rcu_read_lock()ed by nf_hook_slow */

		strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name);

	} else

		pm->outdev[0] = pm->physoutdev[0] = '\0';

	}



	if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0)

		BUG();

net/ipv4/netfilter/arp_tables.c

+5 −0
Original line number Diff line number Diff line
@@ -271,6 +271,11 @@ unsigned int arpt_do_table(struct sk_buff *skb, 
	local_bh_disable();

	addend = xt_write_recseq_begin();

	private = table->private;

	/*

	 * Ensure we load private-> members after we've fetched the base

	 * pointer.

	 */

	smp_read_barrier_depends();

	table_base = private->entries[smp_processor_id()];



	e = get_entry(table_base, private->hook_entry[hook]);

net/ipv4/netfilter/ip_tables.c

+5 −0
Original line number Diff line number Diff line
@@ -327,6 +327,11 @@ ipt_do_table(struct sk_buff *skb, 
	addend = xt_write_recseq_begin();

	private = table->private;

	cpu        = smp_processor_id();

	/*

	 * Ensure we load private-> members after we've fetched the base

	 * pointer.

	 */

	smp_read_barrier_depends();

	table_base = private->entries[cpu];

	jumpstack  = (struct ipt_entry **)private->jumpstack[cpu];

	stackptr   = per_cpu_ptr(private->stackptr, cpu);

net/ipv4/netfilter/ipt_ULOG.c

+1 −6
Original line number Diff line number Diff line
@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net, 
	ub->qlen++;



	pm = nlmsg_data(nlh);

	memset(pm, 0, sizeof(*pm));



	/* We might not have a timestamp, get one */

	if (skb->tstamp.tv64 == 0)
@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net, 
	}

	else if (loginfo->prefix[0] != '\0')

		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));

	else

		*(pm->prefix) = '\0';



	if (in && in->hard_header_len > 0 &&

	    skb->mac_header != skb->network_header &&
@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net, 


	if (in)

		strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));

	else

		pm->indev_name[0] = '\0';



	if (out)

		strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));

	else

		pm->outdev_name[0] = '\0';



	/* copy_len <= skb->len, so can't fail. */

	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)

net/ipv6/netfilter/ip6_tables.c

+5 −0
Original line number Diff line number Diff line
@@ -349,6 +349,11 @@ ip6t_do_table(struct sk_buff *skb, 
	local_bh_disable();

	addend = xt_write_recseq_begin();

	private = table->private;

	/*

	 * Ensure we load private-> members after we've fetched the base

	 * pointer.

	 */

	smp_read_barrier_depends();

	cpu        = smp_processor_id();

	table_base = private->entries[cpu];

	jumpstack  = (struct ip6t_entry **)private->jumpstack[cpu];