Unverified Commit bc352912 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8620 CVE-2024-35896 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/RIWE7QSLYRZJBQKWZAIU2WG3RSUVOFXT/ 
CVE-2024-35896

Eric Dumazet (2):
  netfilter: validate user input for expected length
  netfilter: complete validation of user input


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG86 
 
Link:https://gitee.com/openeuler/kernel/pulls/8620

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents c568fbca 953d8f7d

net/bridge/netfilter/ebtables.c

+6 −0
Original line number Diff line number Diff line
@@ -1081,6 +1081,8 @@ static int do_replace(struct net *net, const void __user *user, 
	struct ebt_table_info *newinfo;

	struct ebt_replace tmp;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1301,6 +1303,8 @@ static int update_counters(struct net *net, const void __user *user, 
{

	struct ebt_replace hlp;



	if (len < sizeof(hlp))

		return -EINVAL;

	if (copy_from_user(&hlp, user, sizeof(hlp)))

		return -EFAULT;
@@ -2312,6 +2316,8 @@ static int compat_update_counters(struct net *net, void __user *user, 
{

	struct compat_ebt_replace hlp;



	if (len < sizeof(hlp))

		return -EINVAL;

	if (copy_from_user(&hlp, user, sizeof(hlp)))

		return -EFAULT;

net/ipv4/netfilter/arp_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -956,6 +956,8 @@ static int do_replace(struct net *net, const void __user *user, 
	void *loc_cpu_entry;

	struct arpt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -964,6 +966,8 @@ static int do_replace(struct net *net, const void __user *user, 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1256,6 +1260,8 @@ static int compat_do_replace(struct net *net, void __user *user, 
	void *loc_cpu_entry;

	struct arpt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1264,6 +1270,8 @@ static int compat_do_replace(struct net *net, void __user *user, 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;

net/ipv4/netfilter/ip_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -1114,6 +1114,8 @@ do_replace(struct net *net, const void __user *user, unsigned int len) 
	void *loc_cpu_entry;

	struct ipt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1122,6 +1124,8 @@ do_replace(struct net *net, const void __user *user, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1499,6 +1503,8 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) 
	void *loc_cpu_entry;

	struct ipt_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1507,6 +1513,8 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;

net/ipv6/netfilter/ip6_tables.c

+8 −0
Original line number Diff line number Diff line
@@ -1132,6 +1132,8 @@ do_replace(struct net *net, const void __user *user, unsigned int len) 
	void *loc_cpu_entry;

	struct ip6t_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1140,6 +1142,8 @@ do_replace(struct net *net, const void __user *user, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;
@@ -1509,6 +1513,8 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) 
	void *loc_cpu_entry;

	struct ip6t_entry *iter;



	if (len < sizeof(tmp))

		return -EINVAL;

	if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)

		return -EFAULT;
@@ -1517,6 +1523,8 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) 
		return -ENOMEM;

	if (tmp.num_counters == 0)

		return -EINVAL;

	if ((u64)len < (u64)tmp.size + sizeof(tmp))

		return -EINVAL;



	tmp.name[sizeof(tmp.name)-1] = 0;