netfilter: x_tables: fix pointer leaks to userspace

Several netfilter matches and targets put kernel pointers into info objects, but don't set usersize in descriptors. This leads to kernel pointer leaks if a match/target is set and then read back to userspace. Properly set usersize for these matches/targets. Found with manual code inspection. Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Dmitry Vyukov <dvyukov@google.com> 2018-01-29 13:21:20 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-31 14:59:24 +0100
commit: 1e98ffea5a8935ec040ab72299e349cb44b8defd (patch)
tree: 512f7e462d332f478c0e3459ca1794abc0c32a9d /net/netfilter/xt_nfacct.c
parent: 0b8d9073539e217f79ec1bff65eb205ac796723d (diff)
download: linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index cc0518fe598e45..6f92d25590a85d 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly = {
 	.match      = nfacct_mt,
 	.destroy    = nfacct_mt_destroy,
 	.matchsize  = sizeof(struct xt_nfacct_match_info),
+	.usersize   = offsetof(struct xt_nfacct_match_info, nfacct),
 	.me         = THIS_MODULE,
 };
author	Dmitry Vyukov <dvyukov@google.com>	2018-01-29 13:21:20 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-01-31 14:59:24 +0100
commit	1e98ffea5a8935ec040ab72299e349cb44b8defd (patch)
tree	512f7e462d332f478c0e3459ca1794abc0c32a9d /net/netfilter/xt_nfacct.c
parent	0b8d9073539e217f79ec1bff65eb205ac796723d (diff)
download	linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.gz