netfilter: x_tables: fix pointer leaks to userspace

[ Upstream commit 1e98ffea5a8935ec040ab72299e349cb44b8defd ] Several netfilter matches and targets put kernel pointers into info objects, but don't set usersize in descriptors. This leads to kernel pointer leaks if a match/target is set and then read back to userspace. Properly set usersize for these matches/targets. Found with manual code inspection. Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dmitry Vyukov <dvyukov@google.com> 2018-01-29 13:21:20 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-04-26 11:02:13 +0200
commit: ad10785a706e63ff155fc97860cdcc5e3bc5992d (patch)
tree: 16f0f8298d64ded12bfc725ea4352f2352b6a796 /net/netfilter/xt_nfacct.c
parent: 2b7cc93682acf720f6b2e1a690ccdae71129e6fc (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index cc0518fe598e..6f92d25590a8 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly = {
 	.match      = nfacct_mt,
 	.destroy    = nfacct_mt_destroy,
 	.matchsize  = sizeof(struct xt_nfacct_match_info),
+	.usersize   = offsetof(struct xt_nfacct_match_info, nfacct),
 	.me         = THIS_MODULE,
 };
author	Dmitry Vyukov <dvyukov@google.com>	2018-01-29 13:21:20 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-04-26 11:02:13 +0200
commit	ad10785a706e63ff155fc97860cdcc5e3bc5992d (patch)
tree	16f0f8298d64ded12bfc725ea4352f2352b6a796 /net/netfilter/xt_nfacct.c
parent	2b7cc93682acf720f6b2e1a690ccdae71129e6fc (diff)