<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/netfilter, branch v4.8.8</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>netfilter: xt_NFLOG: fix unexpected truncated packet</title>
<updated>2016-11-10T15:38:56+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-10-11T13:03:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cc94524e89408dab9830cf9822c0e499b1275f36'/>
<id>cc94524e89408dab9830cf9822c0e499b1275f36</id>
<content type='text'>
commit 6d19375b58763fefc2f215fb45117d3353ced888 upstream.

Justin and Chris spotted that iptables NFLOG target was broken when they
upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
"results in segfaults in ulogd-2.0.5".

Because "struct nf_loginfo li;" is a local variable, and flags will be
filled with garbage value, not inited to zero. So if it contains 0x1,
packets will not be logged to the userspace anymore.

Fixes: 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets")
Reported-by: Justin Piszcz &lt;jpiszcz@lucidpixels.com&gt;
Reported-by: Chris Caputo &lt;ccaputo@alt.net&gt;
Tested-by: Chris Caputo &lt;ccaputo@alt.net&gt;
Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6d19375b58763fefc2f215fb45117d3353ced888 upstream.

Justin and Chris spotted that iptables NFLOG target was broken when they
upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or
"results in segfaults in ulogd-2.0.5".

Because "struct nf_loginfo li;" is a local variable, and flags will be
filled with garbage value, not inited to zero. So if it contains 0x1,
packets will not be logged to the userspace anymore.

Fixes: 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets")
Reported-by: Justin Piszcz &lt;jpiszcz@lucidpixels.com&gt;
Reported-by: Chris Caputo &lt;ccaputo@alt.net&gt;
Tested-by: Chris Caputo &lt;ccaputo@alt.net&gt;
Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions</title>
<updated>2016-09-13T08:50:56+00:00</updated>
<author>
<name>Gao Feng</name>
<email>fgao@ikuai8.com</email>
</author>
<published>2016-09-13T00:49:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4440a2ab3b9f40dddbe006331ef0659c76859296'/>
<id>4440a2ab3b9f40dddbe006331ef0659c76859296</id>
<content type='text'>
When memory is exhausted, nfct_seqadj_ext_add may fail to add the
synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
check if get valid seqadj pointer by the nfct_seqadj.

Now drop the packet directly when fail to add seqadj extension to
avoid dereference NULL pointer in nf_ct_seqadj_init from
init_conntrack().

Signed-off-by: Gao Feng &lt;fgao@ikuai8.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When memory is exhausted, nfct_seqadj_ext_add may fail to add the
synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
check if get valid seqadj pointer by the nfct_seqadj.

Now drop the packet directly when fail to add seqadj extension to
avoid dereference NULL pointer in nf_ct_seqadj_init from
init_conntrack().

Signed-off-by: Gao Feng &lt;fgao@ikuai8.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup()</title>
<updated>2016-09-12T18:32:57+00:00</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2016-09-09T13:38:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ecfcdfec7e0cc64215a194044305f02a5a836e6d'/>
<id>ecfcdfec7e0cc64215a194044305f02a5a836e6d</id>
<content type='text'>
nf_nat_setup_info() returns NF_* verdicts, so convert them to error
codes that is what ctnelink expects. This has passed overlook without
having any impact since this nf_nat_setup_info() has always returned
NF_ACCEPT so far. Since 870190a9ec90 ("netfilter: nat: convert nat bysrc
hash to rhashtable"), this is problem.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
nf_nat_setup_info() returns NF_* verdicts, so convert them to error
codes that is what ctnelink expects. This has passed overlook without
having any impact since this nf_nat_setup_info() has always returned
NF_ACCEPT so far. Since 870190a9ec90 ("netfilter: nat: convert nat bysrc
hash to rhashtable"), this is problem.

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_tables_trace: fix endiness when dump chain policy</title>
<updated>2016-09-05T17:28:23+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-09-02T12:49:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5210d393ef84e5d2a4854671a9af2d97fd1b8dd4'/>
<id>5210d393ef84e5d2a4854671a9af2d97fd1b8dd4</id>
<content type='text'>
NFTA_TRACE_POLICY attribute is big endian, but we forget to call
htonl to convert it. Fortunately, this attribute is parsed as big
endian in libnftnl.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
NFTA_TRACE_POLICY attribute is big endian, but we forget to call
htonl to convert it. Fortunately, this attribute is parsed as big
endian in libnftnl.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_tables_netdev: remove redundant ip_hdr assignment</title>
<updated>2016-08-30T09:41:04+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-08-28T08:59:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c73c2484901139c28383b58eabcbf4d613e91518'/>
<id>c73c2484901139c28383b58eabcbf4d613e91518</id>
<content type='text'>
We have already use skb_header_pointer to get the ip header pointer,
so there's no need to use ip_hdr again. Moreover, in NETDEV INGRESS
hook, ip header maybe not linear, so use ip_hdr is not appropriate,
remove it.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We have already use skb_header_pointer to get the ip header pointer,
so there's no need to use ip_hdr again. Moreover, in NETDEV INGRESS
hook, ip header maybe not linear, so use ip_hdr is not appropriate,
remove it.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nft_meta: improve the validity check of pkttype set expr</title>
<updated>2016-08-25T11:12:03+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-08-22T14:57:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=960fa72f67f1be6891d63a5518860d1ae4e14b88'/>
<id>960fa72f67f1be6891d63a5518860d1ae4e14b88</id>
<content type='text'>
"meta pkttype set" is only supported on prerouting chain with bridge
family and ingress chain with netdev family.

But the validate check is incomplete, and the user can add the nft
rules on input chain with bridge family, for example:
  # nft add table bridge filter
  # nft add chain bridge filter input {type filter hook input \
    priority 0 \;}
  # nft add chain bridge filter test
  # nft add rule bridge filter test meta pkttype set unicast
  # nft add rule bridge filter input jump test

This patch fixes the problem.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
"meta pkttype set" is only supported on prerouting chain with bridge
family and ingress chain with netdev family.

But the validate check is incomplete, and the user can add the nft
rules on input chain with bridge family, for example:
  # nft add table bridge filter
  # nft add chain bridge filter input {type filter hook input \
    priority 0 \;}
  # nft add chain bridge filter test
  # nft add rule bridge filter test meta pkttype set unicast
  # nft add rule bridge filter input jump test

This patch fixes the problem.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists</title>
<updated>2016-08-25T11:11:30+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-08-22T13:58:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=533e33009897c7dd1b0424c0d4b3331b222d5681'/>
<id>533e33009897c7dd1b0424c0d4b3331b222d5681</id>
<content type='text'>
KASAN reported this bug:
  BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at
  addr ffff880002db08c8
  Read of size 4 by task lt-nf-queue/19041
  Call Trace:
  &lt;IRQ&gt;  [&lt;ffffffff815eeebb&gt;] dump_stack+0x63/0x88
  [&lt;ffffffff813386f8&gt;] kasan_report_error+0x528/0x560
  [&lt;ffffffff81338cc8&gt;] kasan_report+0x58/0x60
  [&lt;ffffffffa07393f5&gt;] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4]
  [&lt;ffffffff81337551&gt;] __asan_load4+0x61/0x80
  [&lt;ffffffffa07393f5&gt;] icmp_packet+0x25/0x50 [nf_conntrack_ipv4]
  [&lt;ffffffffa06ecaa0&gt;] nf_conntrack_in+0x550/0x980 [nf_conntrack]
  [&lt;ffffffffa06ec550&gt;] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack]
  [ ... ]

The main reason is that we missed to unlink the timeout objects in the
unconfirmed ct lists, so we will access the timeout objects that have
already been freed.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
KASAN reported this bug:
  BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at
  addr ffff880002db08c8
  Read of size 4 by task lt-nf-queue/19041
  Call Trace:
  &lt;IRQ&gt;  [&lt;ffffffff815eeebb&gt;] dump_stack+0x63/0x88
  [&lt;ffffffff813386f8&gt;] kasan_report_error+0x528/0x560
  [&lt;ffffffff81338cc8&gt;] kasan_report+0x58/0x60
  [&lt;ffffffffa07393f5&gt;] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4]
  [&lt;ffffffff81337551&gt;] __asan_load4+0x61/0x80
  [&lt;ffffffffa07393f5&gt;] icmp_packet+0x25/0x50 [nf_conntrack_ipv4]
  [&lt;ffffffffa06ecaa0&gt;] nf_conntrack_in+0x550/0x980 [nf_conntrack]
  [&lt;ffffffffa06ec550&gt;] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack]
  [ ... ]

The main reason is that we missed to unlink the timeout objects in the
unconfirmed ct lists, so we will access the timeout objects that have
already been freed.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: cttimeout: put back l4proto when replacing timeout policy</title>
<updated>2016-08-25T11:11:16+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-08-22T13:58:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=23aaba5ad55547db62bada5066c8fb6412d5b1c2'/>
<id>23aaba5ad55547db62bada5066c8fb6412d5b1c2</id>
<content type='text'>
We forget to call nf_ct_l4proto_put when replacing the existing
timeout policy. Acctually, there's no need to get ct l4proto
before doing replace, so we can move it to a later position.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We forget to call nf_ct_l4proto_put when replacing the existing
timeout policy. Acctually, there's no need to get ct l4proto
before doing replace, so we can move it to a later position.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects</title>
<updated>2016-08-25T11:11:00+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-08-22T13:58:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=93fac10b99d78eb2c50a739cba2e590c7332d539'/>
<id>93fac10b99d78eb2c50a739cba2e590c7332d539</id>
<content type='text'>
cttimeout and acct objects are deleted from the list while traversing
it, so use list_for_each_entry is unsafe here.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
cttimeout and acct objects are deleted from the list while traversing
it, so use list_for_each_entry is unsafe here.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT</title>
<updated>2016-08-25T10:55:34+00:00</updated>
<author>
<name>Liping Zhang</name>
<email>liping.zhang@spreadtrum.com</email>
</author>
<published>2016-08-21T17:02:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=89e1f6d2b956649fbe0704d543a90b8e0cf872b0'/>
<id>89e1f6d2b956649fbe0704d543a90b8e0cf872b0</id>
<content type='text'>
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
  NULL pointer dereference at ...
  IP: [&lt;ffffffff81b9db2f&gt;] nf_send_reset+0xaf/0x400
  Call Trace:
  [&lt;ffffffff81b9da80&gt;] ? nf_reject_ip_tcphdr_get+0x160/0x160
  [&lt;ffffffffa0928061&gt;] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
  [&lt;ffffffffa08e836a&gt;] nft_do_chain+0x1fa/0x890 [nf_tables]
  [&lt;ffffffffa08e8170&gt;] ? __nft_trace_packet+0x170/0x170 [nf_tables]
  [&lt;ffffffffa06e0900&gt;] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
  [&lt;ffffffffa07224d4&gt;] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
  [...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
  NULL pointer dereference at ...
  IP: [&lt;ffffffff81b9db2f&gt;] nf_send_reset+0xaf/0x400
  Call Trace:
  [&lt;ffffffff81b9da80&gt;] ? nf_reject_ip_tcphdr_get+0x160/0x160
  [&lt;ffffffffa0928061&gt;] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
  [&lt;ffffffffa08e836a&gt;] nft_do_chain+0x1fa/0x890 [nf_tables]
  [&lt;ffffffffa08e8170&gt;] ? __nft_trace_packet+0x170/0x170 [nf_tables]
  [&lt;ffffffffa06e0900&gt;] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
  [&lt;ffffffffa07224d4&gt;] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
  [...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang &lt;liping.zhang@spreadtrum.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
