netfilter: nft_compat: do not dump private area

mainline inclusion from mainline-4.20 commit d701d8117200 category: bugfix bugzilla: 6224 CVE: NA ------------------------------------------------- Zero pad private area, otherwise we expose private kernel pointer to userspace. This patch also zeroes the tail area after the ->matchsize and ->targetsize that results from XT_ALIGN(). Fixes: 0ca743a5 ("netfilter: nf_tables: add compatibility layer for x_tables") Reported-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Shangli <shangli1@huawei.com> Signed-off-by: N Mao Wenan <maowenan@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

netfilter: nft_compat: do not dump private area
mainline inclusion from mainline-4.20 commit d701d8117200 category: bugfix bugzilla: 6224 CVE: NA ------------------------------------------------- Zero pad private area, otherwise we expose private kernel pointer to userspace. This patch also zeroes the tail area after the ->matchsize and ->targetsize that results from XT_ALIGN(). Fixes: 0ca743a5 ("netfilter: nf_tables: add compatibility layer for x_tables") Reported-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Shangli <shangli1@huawei.com> Signed-off-by: N Mao Wenan <maowenan@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
4808df9e · Pablo Neira Ayuso · Xie XiuQi · f7fc8a80 · 4808df9e
显示空白变更内容
内联并排

Showing with 22 addition and 2 deletion

net/netfilter/nft_compat.c net/netfilter/nft_compat.c +22 -2

未找到文件。
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -295,6 +295,24 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 		module_put(target->me);
 }
+static int nft_extension_dump_info(struct sk_buff *skb, int attr,
+				   const void *info,
+				   unsigned int size, unsigned int user_size)
+{
+	unsigned int info_size, aligned_size = XT_ALIGN(size);
+	struct nlattr *nla;
+	nla = nla_reserve(skb, attr, aligned_size);
+	if (!nla)
+		return -1;
+	info_size = user_size ? : size;
+	memcpy(nla_data(nla), info, info_size);
+	memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
+	return 0;
+}
 static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
 {
 	const struct xt_target *target = expr->ops->data;
@@ -302,7 +320,8 @@ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
 	if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
 	    nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
-	    nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(target->targetsize), info))
+	    nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
+				    target->targetsize, target->usersize))
 		goto nla_put_failure;
 	return 0;
@@ -537,7 +556,8 @@ static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
 	if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
 	    nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
-	    nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(match->matchsize), info))
+	    nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
+				    match->matchsize, match->usersize))
 		goto nla_put_failure;
 	return 0;