From patchwork Wed Nov 28 17:29:09 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 152338
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp1365628ljp;
 Wed, 28 Nov 2018 09:30:01 -0800 (PST)
X-Google-Smtp-Source: AFSGD/X0Oz0ZyKv+fZz+vBB0eyuy4IdpjprnBX7oGaXosEDTK1dInU6fMUt6n5ZU/IBt23g4O91Q
X-Received: by 2002:a17:902:d905:: with SMTP id
 c5mr36922103plz.43.1543426201749; 
 Wed, 28 Nov 2018 09:30:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543426201; cv=none;
 d=google.com; s=arc-20160816;
 b=uf12OVnwcnAyiDCk3CDRo0RfjqV2PNzkxDqsohv0cwHX/uJCxH8+mwWYWfeyGrXwt4
 KeHJw6PjfAWfMhYu0jEoVsv8pNk/gbYI9psUa3A4NfvdvC3WiOGZhRzPB+kwsRsXQ3yd
 1TGuuYKqtsEnTro1Bg5mCEMB12gigcMMzBodpl/S8W9rE/rSFwASpjDCp/6LMWq5PzXS
 7nNbheWGAuInKbHqbFplCWt0ZstWYitUqKxLBYjlZsQeTMw13SPYozCL5gQ2MeVW5z2a
 89mA15u9pM2NT7B2SO4zBwD0dZCnxAwEhbToV88o6UNHjpy6h1u50I6FhoFLq2uA28XB
 5spg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=zMptgWvoWBDT5xd4Smq4zptpv7pmug6afHEw0JXldMc=;
 b=j6BGw9T2BDpAZAHVl0gHB38Ob83fnAdhZXdYX6L7tLct+4GCRI58hfvX2GREN2I1ri
 584pUMvDPa+C8o/D3UsOO17B7S1NZHUXrgeHXGOz8WLlZqA7ZmBo5F3FVUWy60z2chB6
 kITLAY1QuUyaqQiZwbp1COhbMnl/X9WPRLtiUJCL5ZUektk1A59aznC0ubgf77PE+Igi
 fteTnlo4fYBXU2bMp7eCU9PKxgx5nyJR+PmbF3hMp+FPZHh2kgLxcV1ry3p4SubtGIQR
 WmN76NYUG1X/1mYpQMhURoSWE+hTNBetl2pK86/Qew7Tnfr+BrcCWVwJZlVfx3qGndlY
 pGKA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=fwgXja0u;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id 44si8357481plb.57.2018.11.28.09.29.59; 
 Wed, 28 Nov 2018 09:30:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=fwgXja0u;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1728851AbeK2EcE (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 28 Nov 2018 23:32:04 -0500
Received: from mail-pl1-f193.google.com ([209.85.214.193]:38123 "EHLO
 mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1728743AbeK2EcD (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 28 Nov 2018 23:32:03 -0500
Received: by mail-pl1-f193.google.com with SMTP id e5so17710868plb.5
 for <stable@vger.kernel.org>; Wed, 28 Nov 2018 09:29:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=zMptgWvoWBDT5xd4Smq4zptpv7pmug6afHEw0JXldMc=;
 b=fwgXja0uMzZ5YXFKTCl5E7D0YOyuHAxCqWEpLRfT0TiGuxdweuofDW81wHMqasY9dc
 WaV/UEDHtXyTHW17Gu14jJAoeb4DC9HxiguQx0E8lIrnayAW4aLIrnZFyVyTLlnD2/uX
 V8yVWilLDsuToC7M3asjcopfRSXrdZp0teQRo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=zMptgWvoWBDT5xd4Smq4zptpv7pmug6afHEw0JXldMc=;
 b=bVg/o/789JGsyqkVRSaF247XjAQMLMcei7iOKNUu+fRhOCSSuFQZ56n8fE2dFrpHXY
 WmCDUz4nfhHjmoPncVIpI7TKuft5qOkyhdY0rlCFDYMpQDFuZzMxSz06DqXpBcwQU/vQ
 Rqm15a5KE+s17MizGdd1jwbY8KXGc8wZmCYJmfJTXM6H3Xt8QZ8fycEeEBTs6/+xXq5x
 kfAsMof8fCj30NE9AixFZ4qokUScUa3kWRl+Kmsy/6pu3DqwK7o3gR+45zl9RUlMwgBj
 i5wXWgWWyNesL2f03iJRfQ7YqMbvYtdE2lns+V/CGIw9Fx/npW+rhkepFNQHvw3PsHHh
 G7cw==
X-Gm-Message-State: AA+aEWb6Pdh/66Np6c2w9ONcIXf6y+T6RG1FSl6JnuGVDIX2Sy6bSW/n
 aodYLeDmAQ17khgMm1DMjv7oJUbCfUk=
X-Received: by 2002:a17:902:b701:: with SMTP id
 d1-v6mr35981611pls.29.1543426180102; 
 Wed, 28 Nov 2018 09:29:40 -0800 (PST)
Received: from localhost.localdomain ([49.207.53.6])
 by smtp.gmail.com with ESMTPSA id
 84sm13624360pfk.134.2018.11.28.09.29.37
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Nov 2018 09:29:39 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Liping Zhang <zlpnobody@gmail.com>,
 Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH for-4.4.y 10/10] netfilter: nf_tables: fix oops when
 inserting an element into a verdict map
Date: Wed, 28 Nov 2018 22:59:09 +0530
Message-Id: <1543426149-7269-11-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
References: <1543426149-7269-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Liping Zhang <zlpnobody@gmail.com>

commit 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf upstream.

Dalegaard says:
 The following ruleset, when loaded with 'nft -f bad.txt'
 ----snip----
 flush ruleset
 table ip inlinenat {
   map sourcemap {
     type ipv4_addr : verdict;
   }

   chain postrouting {
     ip saddr vmap @sourcemap accept
   }
 }
 add chain inlinenat test
 add element inlinenat sourcemap { 100.123.10.2 : jump test }
 ----snip----

 results in a kernel oops:
 BUG: unable to handle kernel paging request at 0000000000001344
 IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
 [...]
 Call Trace:
  [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
  [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
  [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
  [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
  [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
  [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
  [<ffffffff8132c400>] ? nla_validate+0x60/0x80
  [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]

Because we forget to fill the net pointer in bind_ctx, so dereferencing
it may cause kernel crash.

Reported-by: Dalegaard <dalegaard@gmail.com>
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.7.4

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 120e9ae04db3..a7967af0da82 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3452,6 +3452,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 		dreg = nft_type_to_reg(set->dtype);
 		list_for_each_entry(binding, &set->bindings, list) {
 			struct nft_ctx bind_ctx = {
+				.net	= ctx->net,
 				.afi	= ctx->afi,
 				.table	= ctx->table,
 				.chain	= (struct nft_chain *)binding->chain,