• Liping Zhang's avatar
    netfilter: nf_tables: fix oops when inserting an element into a verdict map · 1c759b36
    Liping Zhang authored
    commit 58c78e10 upstream.
    
    Dalegaard says:
     The following ruleset, when loaded with 'nft -f bad.txt'
     ----snip----
     flush ruleset
     table ip inlinenat {
       map sourcemap {
         type ipv4_addr : verdict;
       }
    
       chain postrouting {
         ip saddr vmap @sourcemap accept
       }
     }
     add chain inlinenat test
     add element inlinenat sourcemap { 100.123.10.2 : jump test }
     ----snip----
    
     results in a kernel oops:
     BUG: unable to handle kernel paging request at 0000000000001344
     IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
     [...]
     Call Trace:
      [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
      [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
      [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
      [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
      [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
      [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
      [<ffffffff8132c400>] ? nla_validate+0x60/0x80
      [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]
    
    Because we forget to fill the net pointer in bind_ctx, so dereferencing
    it may cause kernel crash.
    Reported-by: default avatarDalegaard <dalegaard@gmail.com>
    Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    1c759b36
Name
Last commit
Last update
..
6lowpan Loading commit data...
802 Loading commit data...
8021q Loading commit data...
9p Loading commit data...
appletalk Loading commit data...
atm Loading commit data...
ax25 Loading commit data...
batman-adv Loading commit data...
bluetooth Loading commit data...
bridge Loading commit data...
caif Loading commit data...
can Loading commit data...
ceph Loading commit data...
core Loading commit data...
dcb Loading commit data...
dccp Loading commit data...
decnet Loading commit data...
dns_resolver Loading commit data...
dsa Loading commit data...
ethernet Loading commit data...
hsr Loading commit data...
ieee802154 Loading commit data...
ipv4 Loading commit data...
ipv6 Loading commit data...
ipx Loading commit data...
irda Loading commit data...
iucv Loading commit data...
key Loading commit data...
l2tp Loading commit data...
l3mdev Loading commit data...
lapb Loading commit data...
llc Loading commit data...
mac80211 Loading commit data...
mac802154 Loading commit data...
mpls Loading commit data...
netfilter Loading commit data...
netlabel Loading commit data...
netlink Loading commit data...
netrom Loading commit data...
nfc Loading commit data...
openvswitch Loading commit data...
packet Loading commit data...
phonet Loading commit data...
rds Loading commit data...
rfkill Loading commit data...
rose Loading commit data...
rxrpc Loading commit data...
sched Loading commit data...
sctp Loading commit data...
sunrpc Loading commit data...
switchdev Loading commit data...
tipc Loading commit data...
unix Loading commit data...
vmw_vsock Loading commit data...
wimax Loading commit data...
wireless Loading commit data...
x25 Loading commit data...
xfrm Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
compat.c Loading commit data...
socket.c Loading commit data...
sysctl_net.c Loading commit data...