diff options
author | Dmitry Vyukov <dvyukov@google.com> | 2018-01-29 13:21:20 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-04-26 11:02:13 +0200 |
commit | ad10785a706e63ff155fc97860cdcc5e3bc5992d (patch) | |
tree | 16f0f8298d64ded12bfc725ea4352f2352b6a796 /net/netfilter/xt_nfacct.c | |
parent | 2b7cc93682acf720f6b2e1a690ccdae71129e6fc (diff) |
netfilter: x_tables: fix pointer leaks to userspace
[ Upstream commit 1e98ffea5a8935ec040ab72299e349cb44b8defd ]
Several netfilter matches and targets put kernel pointers into
info objects, but don't set usersize in descriptors.
This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.
Properly set usersize for these matches/targets.
Found with manual code inspection.
Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/netfilter/xt_nfacct.c')
-rw-r--r-- | net/netfilter/xt_nfacct.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c index cc0518fe598e..6f92d25590a8 100644 --- a/net/netfilter/xt_nfacct.c +++ b/net/netfilter/xt_nfacct.c @@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly = { .match = nfacct_mt, .destroy = nfacct_mt_destroy, .matchsize = sizeof(struct xt_nfacct_match_info), + .usersize = offsetof(struct xt_nfacct_match_info, nfacct), .me = THIS_MODULE, }; |