[linux] 01/02: Fix backport of "netfilter: x_tables: validate targets of jumps"

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jun 25 22:07:59 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit dca42764e8221a6f8704d18b12e9521c12385fbc
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jun 25 23:30:27 2016 +0200

    Fix backport of "netfilter: x_tables: validate targets of jumps"
    
    In 3.16, xt_table_info::entries points to an array of per-CPU pointers
    to filter tables, not to a single filter table.  So find_jump_target()
    was looking at the wrong data.
    
    Use the version that went into 3.14.73, which makes the new filter
    table a separate parameter to find_jump_target().
---
 debian/changelog                                   |  6 ++++++
 ...filter-x_tables-validate-targets-of-jumps.patch | 22 +++++++++++++---------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 578a5d5..8e40b87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.7-ckt25-2+deb8u2) UNRELEASED; urgency=medium
+
+  * Fix backport of "netfilter: x_tables: validate targets of jumps"
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 25 Jun 2016 23:14:03 +0200
+
 linux (3.16.7-ckt25-2+deb8u1) jessie-security; urgency=high
 
   [ Ben Hutchings ]
diff --git a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch b/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch
index 3258c13..d8d50e3 100644
--- a/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch
+++ b/debian/patches/bugfix/all/netfilter-x_tables-validate-targets-of-jumps.patch
@@ -23,6 +23,7 @@ sys     0m18.840s
 
 Signed-off-by: Florian Westphal <fw at strlen.de>
 Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
 ---
  net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++
  net/ipv4/netfilter/ip_tables.c  | 16 ++++++++++++++++
@@ -31,16 +32,17 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
 
 --- a/net/ipv4/netfilter/arp_tables.c
 +++ b/net/ipv4/netfilter/arp_tables.c
-@@ -363,6 +363,18 @@ static inline bool unconditional(const s
+@@ -363,6 +363,19 @@ static inline bool unconditional(const s
  	       memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
  }
  
 +static bool find_jump_target(const struct xt_table_info *t,
++			     const void *entry0,
 +			     const struct arpt_entry *target)
 +{
 +	struct arpt_entry *iter;
 +
-+	xt_entry_foreach(iter, t->entries, t->size) {
++	xt_entry_foreach(iter, entry0, t->size) {
 +		 if (iter == target)
 +			return true;
 +	}
@@ -56,23 +58,24 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
  						 pos, newpos);
 +					e = (struct arpt_entry *)
 +						(entry0 + newpos);
-+					if (!find_jump_target(newinfo, e))
++					if (!find_jump_target(newinfo, entry0, e))
 +						return 0;
  				} else {
  					/* ... this is a fallthru */
  					newpos = pos + e->next_offset;
 --- a/net/ipv4/netfilter/ip_tables.c
 +++ b/net/ipv4/netfilter/ip_tables.c
-@@ -439,6 +439,18 @@ ipt_do_table(struct sk_buff *skb,
+@@ -439,6 +439,19 @@ ipt_do_table(struct sk_buff *skb,
  #endif
  }
  
 +static bool find_jump_target(const struct xt_table_info *t,
++			     const void *entry0,
 +			     const struct ipt_entry *target)
 +{
 +	struct ipt_entry *iter;
 +
-+	xt_entry_foreach(iter, t->entries, t->size) {
++	xt_entry_foreach(iter, entry0, t->size) {
 +		 if (iter == target)
 +			return true;
 +	}
@@ -88,23 +91,24 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
  						 pos, newpos);
 +					e = (struct ipt_entry *)
 +						(entry0 + newpos);
-+					if (!find_jump_target(newinfo, e))
++					if (!find_jump_target(newinfo, entry0, e))
 +						return 0;
  				} else {
  					/* ... this is a fallthru */
  					newpos = pos + e->next_offset;
 --- a/net/ipv6/netfilter/ip6_tables.c
 +++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -449,6 +449,18 @@ ip6t_do_table(struct sk_buff *skb,
+@@ -449,6 +449,19 @@ ip6t_do_table(struct sk_buff *skb,
  #endif
  }
  
 +static bool find_jump_target(const struct xt_table_info *t,
++			     const void *entry0,
 +			     const struct ip6t_entry *target)
 +{
 +	struct ip6t_entry *iter;
 +
-+	xt_entry_foreach(iter, t->entries, t->size) {
++	xt_entry_foreach(iter, entry0, t->size) {
 +		 if (iter == target)
 +			return true;
 +	}
@@ -120,7 +124,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
  						 pos, newpos);
 +					e = (struct ip6t_entry *)
 +						(entry0 + newpos);
-+					if (!find_jump_target(newinfo, e))
++					if (!find_jump_target(newinfo, entry0, e))
 +						return 0;
  				} else {
  					/* ... this is a fallthru */

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list