[linux] 01/02: netfilter: x_tables: Fix parsing of IPT_SO_SET_REPLACE blobs (CVE-2016-3134)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Apr 30 18:09:34 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 1164e5270078cb6a3343abe518d878658cad16b6
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Apr 30 20:06:18 2016 +0200
netfilter: x_tables: Fix parsing of IPT_SO_SET_REPLACE blobs (CVE-2016-3134)
---
debian/changelog | 4 +
...tfilter-x_tables-fix-unconditional-helper.patch | 226 +++++++++++++++++++++
...-sure-e-next_offset-covers-remaining-blob.patch | 83 ++++++++
...r-x_tables-validate-e-target_offset-early.patch | 193 ++++++++++++++++++
debian/patches/series | 3 +
5 files changed, 509 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d0bbcb9..faf0d31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,10 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
* [s390*] mm: four page table levels vs. fork (CVE-2016-2143)
* [amd64] iopl: Properly context-switch IOPL on Xen PV (CVE-2016-3157)
* [amd64] entry/compat: Add missing CLAC to entry_INT80_32 (CVE-2016-XXXX)
+ * netfilter: x_tables: Fix parsing of IPT_SO_SET_REPLACE blobs (CVE-2016-3134)
+ - validate e->target_offset early
+ - make sure e->next_offset covers remaining blob size
+ - fix unconditional helper
[ Salvatore Bonaccorso ]
* [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-fix-unconditional-helper.patch b/debian/patches/bugfix/all/netfilter-x_tables-fix-unconditional-helper.patch
new file mode 100644
index 0000000..864fd92
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-x_tables-fix-unconditional-helper.patch
@@ -0,0 +1,226 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Tue, 22 Mar 2016 18:02:52 +0100
+Subject: netfilter: x_tables: fix unconditional helper
+Origin: https://git.kernel.org/git/54d83fc74aa9ec72794373cb47432c5f7fb1a309
+
+Ben Hawkes says:
+
+ In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
+ is possible for a user-supplied ipt_entry structure to have a large
+ next_offset field. This field is not bounds checked prior to writing a
+ counter value at the supplied offset.
+
+Problem is that mark_source_chains should not have been called --
+the rule doesn't have a next entry, so its supposed to return
+an absolute verdict of either ACCEPT or DROP.
+
+However, the function conditional() doesn't work as the name implies.
+It only checks that the rule is using wildcard address matching.
+
+However, an unconditional rule must also not be using any matches
+(no -m args).
+
+The underflow validator only checked the addresses, therefore
+passing the 'unconditional absolute verdict' test, while
+mark_source_chains also tested for presence of matches, and thus
+proceeeded to the next (not-existent) rule.
+
+Unify this so that all the callers have same idea of 'unconditional rule'.
+
+Reported-by: Ben Hawkes <hawkes at google.com>
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ipv4/netfilter/arp_tables.c | 18 +++++++++---------
+ net/ipv4/netfilter/ip_tables.c | 23 +++++++++++------------
+ net/ipv6/netfilter/ip6_tables.c | 23 +++++++++++------------
+ 3 files changed, 31 insertions(+), 33 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -355,11 +355,12 @@ unsigned int arpt_do_table(struct sk_buf
+ }
+
+ /* All zeroes == unconditional rule. */
+-static inline bool unconditional(const struct arpt_arp *arp)
++static inline bool unconditional(const struct arpt_entry *e)
+ {
+ static const struct arpt_arp uncond;
+
+- return memcmp(arp, &uncond, sizeof(uncond)) == 0;
++ return e->target_offset == sizeof(struct arpt_entry) &&
++ memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
+ }
+
+ /* Figures out from what hook each rule can be called: returns 0 if
+@@ -398,11 +399,10 @@ static int mark_source_chains(const stru
+ |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
+
+ /* Unconditional return/END. */
+- if ((e->target_offset == sizeof(struct arpt_entry) &&
++ if ((unconditional(e) &&
+ (strcmp(t->target.u.user.name,
+ XT_STANDARD_TARGET) == 0) &&
+- t->verdict < 0 && unconditional(&e->arp)) ||
+- visited) {
++ t->verdict < 0) || visited) {
+ unsigned int oldpos, size;
+
+ if ((strcmp(t->target.u.user.name,
+@@ -541,7 +541,7 @@ static bool check_underflow(const struct
+ const struct xt_entry_target *t;
+ unsigned int verdict;
+
+- if (!unconditional(&e->arp))
++ if (!unconditional(e))
+ return false;
+ t = arpt_get_target_c(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+@@ -588,9 +588,9 @@ static inline int check_entry_size_and_h
+ newinfo->hook_entry[h] = hook_entries[h];
+ if ((unsigned char *)e - base == underflows[h]) {
+ if (!check_underflow(e)) {
+- pr_err("Underflows must be unconditional and "
+- "use the STANDARD target with "
+- "ACCEPT/DROP\n");
++ pr_debug("Underflows must be unconditional and "
++ "use the STANDARD target with "
++ "ACCEPT/DROP\n");
+ return -EINVAL;
+ }
+ newinfo->underflow[h] = underflows[h];
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int
+
+ /* All zeroes == unconditional rule. */
+ /* Mildly perf critical (only if packet tracing is on) */
+-static inline bool unconditional(const struct ipt_ip *ip)
++static inline bool unconditional(const struct ipt_entry *e)
+ {
+ static const struct ipt_ip uncond;
+
+- return memcmp(ip, &uncond, sizeof(uncond)) == 0;
++ return e->target_offset == sizeof(struct ipt_entry) &&
++ memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
+ #undef FWINV
+ }
+
+@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_e
+ } else if (s == e) {
+ (*rulenum)++;
+
+- if (s->target_offset == sizeof(struct ipt_entry) &&
++ if (unconditional(s) &&
+ strcmp(t->target.u.kernel.target->name,
+ XT_STANDARD_TARGET) == 0 &&
+- t->verdict < 0 &&
+- unconditional(&s->ip)) {
++ t->verdict < 0) {
+ /* Tail of chains: STANDARD target (return/policy) */
+ *comment = *chainname == hookname
+ ? comments[NF_IP_TRACE_COMMENT_POLICY]
+@@ -472,11 +472,10 @@ mark_source_chains(const struct xt_table
+ e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
+
+ /* Unconditional return/END. */
+- if ((e->target_offset == sizeof(struct ipt_entry) &&
++ if ((unconditional(e) &&
+ (strcmp(t->target.u.user.name,
+ XT_STANDARD_TARGET) == 0) &&
+- t->verdict < 0 && unconditional(&e->ip)) ||
+- visited) {
++ t->verdict < 0) || visited) {
+ unsigned int oldpos, size;
+
+ if ((strcmp(t->target.u.user.name,
+@@ -703,7 +702,7 @@ static bool check_underflow(const struct
+ const struct xt_entry_target *t;
+ unsigned int verdict;
+
+- if (!unconditional(&e->ip))
++ if (!unconditional(e))
+ return false;
+ t = ipt_get_target_c(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+@@ -751,9 +750,9 @@ check_entry_size_and_hooks(struct ipt_en
+ newinfo->hook_entry[h] = hook_entries[h];
+ if ((unsigned char *)e - base == underflows[h]) {
+ if (!check_underflow(e)) {
+- pr_err("Underflows must be unconditional and "
+- "use the STANDARD target with "
+- "ACCEPT/DROP\n");
++ pr_debug("Underflows must be unconditional and "
++ "use the STANDARD target with "
++ "ACCEPT/DROP\n");
+ return -EINVAL;
+ }
+ newinfo->underflow[h] = underflows[h];
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -195,11 +195,12 @@ get_entry(const void *base, unsigned int
+
+ /* All zeroes == unconditional rule. */
+ /* Mildly perf critical (only if packet tracing is on) */
+-static inline bool unconditional(const struct ip6t_ip6 *ipv6)
++static inline bool unconditional(const struct ip6t_entry *e)
+ {
+ static const struct ip6t_ip6 uncond;
+
+- return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
++ return e->target_offset == sizeof(struct ip6t_entry) &&
++ memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
+ }
+
+ static inline const struct xt_entry_target *
+@@ -255,11 +256,10 @@ get_chainname_rulenum(const struct ip6t_
+ } else if (s == e) {
+ (*rulenum)++;
+
+- if (s->target_offset == sizeof(struct ip6t_entry) &&
++ if (unconditional(s) &&
+ strcmp(t->target.u.kernel.target->name,
+ XT_STANDARD_TARGET) == 0 &&
+- t->verdict < 0 &&
+- unconditional(&s->ipv6)) {
++ t->verdict < 0) {
+ /* Tail of chains: STANDARD target (return/policy) */
+ *comment = *chainname == hookname
+ ? comments[NF_IP6_TRACE_COMMENT_POLICY]
+@@ -482,11 +482,10 @@ mark_source_chains(const struct xt_table
+ e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
+
+ /* Unconditional return/END. */
+- if ((e->target_offset == sizeof(struct ip6t_entry) &&
++ if ((unconditional(e) &&
+ (strcmp(t->target.u.user.name,
+ XT_STANDARD_TARGET) == 0) &&
+- t->verdict < 0 &&
+- unconditional(&e->ipv6)) || visited) {
++ t->verdict < 0) || visited) {
+ unsigned int oldpos, size;
+
+ if ((strcmp(t->target.u.user.name,
+@@ -714,7 +713,7 @@ static bool check_underflow(const struct
+ const struct xt_entry_target *t;
+ unsigned int verdict;
+
+- if (!unconditional(&e->ipv6))
++ if (!unconditional(e))
+ return false;
+ t = ip6t_get_target_c(e);
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+@@ -762,9 +761,9 @@ check_entry_size_and_hooks(struct ip6t_e
+ newinfo->hook_entry[h] = hook_entries[h];
+ if ((unsigned char *)e - base == underflows[h]) {
+ if (!check_underflow(e)) {
+- pr_err("Underflows must be unconditional and "
+- "use the STANDARD target with "
+- "ACCEPT/DROP\n");
++ pr_debug("Underflows must be unconditional and "
++ "use the STANDARD target with "
++ "ACCEPT/DROP\n");
+ return -EINVAL;
+ }
+ newinfo->underflow[h] = underflows[h];
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch b/debian/patches/bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch
new file mode 100644
index 0000000..a4c63b4
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch
@@ -0,0 +1,83 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Tue, 22 Mar 2016 18:02:50 +0100
+Subject: netfilter: x_tables: make sure e->next_offset covers remaining blob
+ size
+Origin: https://git.kernel.org/git/6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
+
+Otherwise this function may read data beyond the ruleset blob.
+
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ipv4/netfilter/arp_tables.c | 6 ++++--
+ net/ipv4/netfilter/ip_tables.c | 6 ++++--
+ net/ipv6/netfilter/ip6_tables.c | 6 ++++--
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -563,7 +563,8 @@ static inline int check_entry_size_and_h
+ int err;
+
+ if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
+- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
++ (unsigned char *)e + sizeof(struct arpt_entry) >= limit ||
++ (unsigned char *)e + e->next_offset > limit) {
+ duprintf("Bad offset %p\n", e);
+ return -EINVAL;
+ }
+@@ -1223,7 +1224,8 @@ check_compat_entry_size_and_hooks(struct
+
+ duprintf("check_compat_entry_size_and_hooks %p\n", e);
+ if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
+- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
++ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit ||
++ (unsigned char *)e + e->next_offset > limit) {
+ duprintf("Bad offset %p, limit = %p\n", e, limit);
+ return -EINVAL;
+ }
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -726,7 +726,8 @@ check_entry_size_and_hooks(struct ipt_en
+ int err;
+
+ if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
+- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
++ (unsigned char *)e + sizeof(struct ipt_entry) >= limit ||
++ (unsigned char *)e + e->next_offset > limit) {
+ duprintf("Bad offset %p\n", e);
+ return -EINVAL;
+ }
+@@ -1489,7 +1490,8 @@ check_compat_entry_size_and_hooks(struct
+
+ duprintf("check_compat_entry_size_and_hooks %p\n", e);
+ if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
+- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
++ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit ||
++ (unsigned char *)e + e->next_offset > limit) {
+ duprintf("Bad offset %p, limit = %p\n", e, limit);
+ return -EINVAL;
+ }
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -737,7 +737,8 @@ check_entry_size_and_hooks(struct ip6t_e
+ int err;
+
+ if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
+- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
++ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
++ (unsigned char *)e + e->next_offset > limit) {
+ duprintf("Bad offset %p\n", e);
+ return -EINVAL;
+ }
+@@ -1501,7 +1502,8 @@ check_compat_entry_size_and_hooks(struct
+
+ duprintf("check_compat_entry_size_and_hooks %p\n", e);
+ if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
+- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
++ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
++ (unsigned char *)e + e->next_offset > limit) {
+ duprintf("Bad offset %p, limit = %p\n", e, limit);
+ return -EINVAL;
+ }
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
new file mode 100644
index 0000000..2eaf321
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
@@ -0,0 +1,193 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Tue, 22 Mar 2016 18:02:49 +0100
+Subject: netfilter: x_tables: validate e->target_offset early
+Origin: https://git.kernel.org/git/bdf533de6968e9686df777dc178486f600c6e617
+
+We should check that e->target_offset is sane before
+mark_source_chains gets called since it will fetch the target entry
+for loop detection.
+
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ipv4/netfilter/arp_tables.c | 17 ++++++++---------
+ net/ipv4/netfilter/ip_tables.c | 17 ++++++++---------
+ net/ipv6/netfilter/ip6_tables.c | 17 ++++++++---------
+ 3 files changed, 24 insertions(+), 27 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -470,14 +470,12 @@ static int mark_source_chains(const stru
+ return 1;
+ }
+
+-static inline int check_entry(const struct arpt_entry *e, const char *name)
++static inline int check_entry(const struct arpt_entry *e)
+ {
+ const struct xt_entry_target *t;
+
+- if (!arp_checkentry(&e->arp)) {
+- duprintf("arp_tables: arp check failed %p %s.\n", e, name);
++ if (!arp_checkentry(&e->arp))
+ return -EINVAL;
+- }
+
+ if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
+ return -EINVAL;
+@@ -518,10 +516,6 @@ find_check_entry(struct arpt_entry *e, c
+ struct xt_target *target;
+ int ret;
+
+- ret = check_entry(e, name);
+- if (ret)
+- return ret;
+-
+ t = arpt_get_target(e);
+ target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
+ t->u.user.revision);
+@@ -566,6 +560,7 @@ static inline int check_entry_size_and_h
+ unsigned int valid_hooks)
+ {
+ unsigned int h;
++ int err;
+
+ if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
+ (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
+@@ -580,6 +575,10 @@ static inline int check_entry_size_and_h
+ return -EINVAL;
+ }
+
++ err = check_entry(e);
++ if (err)
++ return err;
++
+ /* Check hooks & underflows */
+ for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+@@ -1237,7 +1236,7 @@ check_compat_entry_size_and_hooks(struct
+ }
+
+ /* For purposes of check_entry casting the compat entry is fine */
+- ret = check_entry((struct arpt_entry *)e, name);
++ ret = check_entry((struct arpt_entry *)e);
+ if (ret)
+ return ret;
+
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -565,14 +565,12 @@ static void cleanup_match(struct xt_entr
+ }
+
+ static int
+-check_entry(const struct ipt_entry *e, const char *name)
++check_entry(const struct ipt_entry *e)
+ {
+ const struct xt_entry_target *t;
+
+- if (!ip_checkentry(&e->ip)) {
+- duprintf("ip check failed %p %s.\n", e, name);
++ if (!ip_checkentry(&e->ip))
+ return -EINVAL;
+- }
+
+ if (e->target_offset + sizeof(struct xt_entry_target) >
+ e->next_offset)
+@@ -662,10 +660,6 @@ find_check_entry(struct ipt_entry *e, st
+ struct xt_mtchk_param mtpar;
+ struct xt_entry_match *ematch;
+
+- ret = check_entry(e, name);
+- if (ret)
+- return ret;
+-
+ j = 0;
+ mtpar.net = net;
+ mtpar.table = name;
+@@ -729,6 +723,7 @@ check_entry_size_and_hooks(struct ipt_en
+ unsigned int valid_hooks)
+ {
+ unsigned int h;
++ int err;
+
+ if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
+ (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
+@@ -743,6 +738,10 @@ check_entry_size_and_hooks(struct ipt_en
+ return -EINVAL;
+ }
+
++ err = check_entry(e);
++ if (err)
++ return err;
++
+ /* Check hooks & underflows */
+ for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+@@ -1503,7 +1502,7 @@ check_compat_entry_size_and_hooks(struct
+ }
+
+ /* For purposes of check_entry casting the compat entry is fine */
+- ret = check_entry((struct ipt_entry *)e, name);
++ ret = check_entry((struct ipt_entry *)e);
+ if (ret)
+ return ret;
+
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -575,14 +575,12 @@ static void cleanup_match(struct xt_entr
+ }
+
+ static int
+-check_entry(const struct ip6t_entry *e, const char *name)
++check_entry(const struct ip6t_entry *e)
+ {
+ const struct xt_entry_target *t;
+
+- if (!ip6_checkentry(&e->ipv6)) {
+- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
++ if (!ip6_checkentry(&e->ipv6))
+ return -EINVAL;
+- }
+
+ if (e->target_offset + sizeof(struct xt_entry_target) >
+ e->next_offset)
+@@ -673,10 +671,6 @@ find_check_entry(struct ip6t_entry *e, s
+ struct xt_mtchk_param mtpar;
+ struct xt_entry_match *ematch;
+
+- ret = check_entry(e, name);
+- if (ret)
+- return ret;
+-
+ j = 0;
+ mtpar.net = net;
+ mtpar.table = name;
+@@ -740,6 +734,7 @@ check_entry_size_and_hooks(struct ip6t_e
+ unsigned int valid_hooks)
+ {
+ unsigned int h;
++ int err;
+
+ if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
+ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+@@ -754,6 +749,10 @@ check_entry_size_and_hooks(struct ip6t_e
+ return -EINVAL;
+ }
+
++ err = check_entry(e);
++ if (err)
++ return err;
++
+ /* Check hooks & underflows */
+ for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+@@ -1515,7 +1514,7 @@ check_compat_entry_size_and_hooks(struct
+ }
+
+ /* For purposes of check_entry casting the compat entry is fine */
+- ret = check_entry((struct ip6t_entry *)e, name);
++ ret = check_entry((struct ip6t_entry *)e);
+ if (ret)
+ return ret;
+
diff --git a/debian/patches/series b/debian/patches/series
index 4082922..7a38e70 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -664,3 +664,6 @@ bugfix/s390/s390-mm-four-page-table-levels-vs.-fork.patch
bugfix/x86/x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch
bugfix/x86/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch
bugfix/all/USB-usbip-fix-potential-out-of-bounds-write.patch
+bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch
+bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-remaining-blob.patch
+bugfix/all/netfilter-x_tables-fix-unconditional-helper.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list