2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------ From: Jan Engelhardt <[email protected]> commit 9ef0298a8e5730d9a46d640014c727f3b4152870 upstream. Like many other places, we have to check that the array index is within allowed limits, or otherwise, a kernel oops and other nastiness can ensue when we access memory beyond the end of the array. [ 5954.115381] BUG: unable to handle kernel paging request at 0000004000000000 [ 5954.120014] IP: __find_logger+0x6f/0xa0 [ 5954.123979] nf_log_bind_pf+0x2b/0x70 [ 5954.123979] nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log] [ 5954.123979] nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink] ... The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind was decoupled from nf_log_register. Reported-by: Miguel Di Ciurcio Filho <[email protected]>, via irc.freenode.net/#netfilter Signed-off-by: Jan Engelhardt <[email protected]> Signed-off-by: Patrick McHardy <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Andi Kleen <[email protected]> --- net/netfilter/nf_log.c | 4 ++++ 1 file changed, 4 insertions(+) Index: linux-2.6.35.y/net/netfilter/nf_log.c =================================================================== --- linux-2.6.35.y.orig/net/netfilter/nf_log.c 2011-03-29 22:50:51.752934191 -0700 +++ linux-2.6.35.y/net/netfilter/nf_log.c 2011-03-29 23:03:01.956250115 -0700 @@ -85,6 +85,8 @@ int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger) { + if (pf >= ARRAY_SIZE(nf_loggers)) + return -EINVAL; mutex_lock(&nf_log_mutex); if (__find_logger(pf, logger->name) == NULL) { mutex_unlock(&nf_log_mutex); @@ -98,6 +100,8 @@ void nf_log_unbind_pf(u_int8_t pf) { + if (pf >= ARRAY_SIZE(nf_loggers)) + return; mutex_lock(&nf_log_mutex); rcu_assign_pointer(nf_loggers[pf], NULL); mutex_unlock(&nf_log_mutex); _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
