1. 17 Aug, 2016 13 commits
  2. 16 Aug, 2016 19 commits
  3. 14 Aug, 2016 5 commits
  4. 12 Aug, 2016 1 commit
    • Kenny Keslar's avatar
      fs/proc/task_mmu.c: fix mm_access() mode parameter in pagemap_read() · 5c576457
      Kenny Keslar authored
      Backport of caaee623 ("ptrace: use fsuid,
      fsgid, effective creds for fs access checks") to v4.1 failed to update the
      mode parameter in the mm_access() call in pagemap_read() to have one of the
      new PTRACE_MODE_*CREDS flags.
      
      Attempting to read any other process' pagemap results in a WARN()
      
      WARNING: CPU: 0 PID: 883 at kernel/ptrace.c:229 __ptrace_may_access+0x14a/0x160()
      denying ptrace access check without PTRACE_MODE_*CREDS
      Modules linked in: loop sg e1000 i2c_piix4 ppdev virtio_balloon virtio_pci parport_pc i2c_core virtio_ring ata_generic serio_raw pata_acpi virtio parport pcspkr floppy acpi_cpufreq ip_tables ext3 mbcache jbd sd_mod ata_piix crc32c_intel libata
      CPU: 0 PID: 883 Comm: cat Tainted: G        W       4.1.12-51.el7uek.x86_64 #2
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        0000000000000286 00000000619f225a ffff88003b6fbc18 ffffffff81717021
        ffff88003b6fbc70 ffffffff819be870 ffff88003b6fbc58 ffffffff8108477a
        000000003b6fbc58 0000000000000001 ffff88003d287000 0000000000000001
      Call Trace:
        [<ffffffff81717021>] dump_stack+0x63/0x81
        [<ffffffff8108477a>] warn_slowpath_common+0x8a/0xc0
        [<ffffffff81084805>] warn_slowpath_fmt+0x55/0x70
        [<ffffffff8108e57a>] __ptrace_may_access+0x14a/0x160
        [<ffffffff8108f372>] ptrace_may_access+0x32/0x50
        [<ffffffff81081bad>] mm_access+0x6d/0xb0
        [<ffffffff81278c81>] pagemap_read+0xe1/0x360
        [<ffffffff811a046b>] ? lru_cache_add_active_or_unevictable+0x2b/0xa0
        [<ffffffff8120d2e7>] __vfs_read+0x37/0x100
        [<ffffffff812b9ab4>] ? security_file_permission+0x84/0xa0
        [<ffffffff8120d8b6>] ? rw_verify_area+0x56/0xe0
        [<ffffffff8120d9c6>] vfs_read+0x86/0x140
        [<ffffffff8120e945>] SyS_read+0x55/0xd0
        [<ffffffff8171eb6e>] system_call_fastpath+0x12/0x71
      
      Fixes: ab88ce5f (ptrace: use fsuid, fsgid, effective creds for fs access checks)
      Signed-off-by: default avatarKenny Keslar <kenny.keslar@oracle.com>
      Cc: Roland McGrath <roland@hack.frob.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      5c576457
  5. 11 Aug, 2016 1 commit
    • Munehisa Kamata's avatar
      netfilter: nf_nat_redirect: add missing NULL pointer check · 6a468737
      Munehisa Kamata authored
      [ Upstream commit 94f9cd81 ]
      
      Commit 8b13eddf ("netfilter: refactor NAT
      redirect IPv4 to use it from nf_tables") has introduced a trivial logic
      change which can result in the following crash.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
      IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
      PGD 3ba662067 PUD 3ba661067 PMD 0
      Oops: 0000 [#1] SMP
      Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
      CPU: 0 PID: 2536 Comm: ip Tainted: G            E   4.1.7-15.23.amzn1.x86_64 #1
      Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
      task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
      [...]
      Call Trace:
       <IRQ>
       [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT]
       [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables]
       [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
       [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
       [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
       [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
       [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
       [<ffffffff81449137>] nf_iterate+0x57/0x80
       [<ffffffff814491f7>] nf_hook_slow+0x97/0x100
       [<ffffffff814504d4>] ip_rcv+0x314/0x400
      
      unsigned int
      nf_nat_redirect_ipv4(struct sk_buff *skb,
      ...
      {
      ...
      		rcu_read_lock();
      		indev = __in_dev_get_rcu(skb->dev);
      		if (indev != NULL) {
      			ifa = indev->ifa_list;
      			newdst = ifa->ifa_local; <---
      		}
      		rcu_read_unlock();
      ...
      }
      
      Before the commit, 'ifa' had been always checked before access. After the
      commit, however, it could be accessed even if it's NULL. Interestingly,
      this was once fixed in 2003.
      
      http://marc.info/?l=netfilter-devel&m=106668497403047&w=2
      
      In addition to the original one, we have seen the crash when packets that
      need to be redirected somehow arrive on an interface which hasn't been
      yet fully configured.
      
      This change just reverts the logic to the old behavior to avoid the crash.
      
      Fixes: 8b13eddf ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
      Signed-off-by: default avatarMunehisa Kamata <kamatam@amazon.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      6a468737
  6. 09 Aug, 2016 1 commit