Commit 4f8a881a authored Aug 18, 2017 by Xin Long Committed by David S. Miller Aug 18, 2017

net: sched: fix NULL pointer dereference when action calls some targets



As we know in some target's checkentry it may dereference par.entryinfo
to check entry stuff inside. But when sched action calls xt_check_target,
par.entryinfo is set with NULL. It would cause kernel panic when calling
some targets.

It can be reproduce with:
  # tc qd add dev eth1 ingress handle ffff:
  # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
    -j ECN --ecn-tcp-remove

It could also crash kernel when using target CLUSTERIP or TPROXY.

By now there's no proper value for par.entryinfo in ipt_init_target,
but it can not be set with NULL. This patch is to void all these
panics by setting it with an ipt_entry obj with all members = 0.

Note that this issue has been there since the very beginning.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 9a19bad7

net/sched/act_ipt.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -41,6 +41,7 @@ static int ipt_init_target(struct net net, struct xt_entry_target t,
		{
		struct xt_tgchk_param par;
		struct xt_target *target;
		struct ipt_entry e = {};
		int ret = 0;

		target = xt_request_find_target(AF_INET, t->u.user.name,
		@@ -52,6 +53,7 @@ static int ipt_init_target(struct net net, struct xt_entry_target t,
		memset(&par, 0, sizeof(par));
		par.net = net;
		par.table = table;
		par.entryinfo = &e;
		par.target = target;
		par.targinfo = t->data;
		par.hook_mask = hook;

Admin message