• Liping Zhang's avatar
    netfilter: nf_tables: fix oops when inserting an element into a verdict map · 1c759b36
    Liping Zhang authored
    commit 58c78e10 upstream.
    
    Dalegaard says:
     The following ruleset, when loaded with 'nft -f bad.txt'
     ----snip----
     flush ruleset
     table ip inlinenat {
       map sourcemap {
         type ipv4_addr : verdict;
       }
    
       chain postrouting {
         ip saddr vmap @sourcemap accept
       }
     }
     add chain inlinenat test
     add element inlinenat sourcemap { 100.123.10.2 : jump test }
     ----snip----
    
     results in a kernel oops:
     BUG: unable to handle kernel paging request at 0000000000001344
     IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
     [...]
     Call Trace:
      [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
      [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
      [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
      [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
      [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
      [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
      [<ffffffff8132c400>] ? nla_validate+0x60/0x80
      [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]
    
    Because we forget to fill the net pointer in bind_ctx, so dereferencing
    it may cause kernel crash.
    Reported-by: 's avatarDalegaard <dalegaard@gmail.com>
    Signed-off-by: 's avatarLiping Zhang <zlpnobody@gmail.com>
    Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: 's avatarAmit Pundir <amit.pundir@linaro.org>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    1c759b36
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...