[PATCH 00/21][trusty, lts-utopic, vivid] Misc netfilter fixes (including CVE-2016-3134)

Luis Henriques luis.henriques at canonical.com
Thu Jun 23 18:34:32 UTC 2016 

BugLink: https://bugs.launchpad.net/bugs/1595350
BugLink: https://bugs.launchpad.net/bugs/1555338

Following this email I am sending several netfilter fixes, including the fix for
CVE-2016-3134.  Most of these patches are clean cherry-picks; backports are
mostly context adjustment and these were all checked against backports for
upstream stable trees (mostly 3.14).

NOTE:

Commit d7591f0c41ce ("netfilter: x_tables: introduce and use
xt_copy_counters_from_user") is currently not queued to be included in stable
3.14, only in 4.4 and 4.6.  But I couldn't find a reason not to include it in
these older kernels (Trusty, etc).  So, I am including it in this patchset and
queried the stable mailing list about it.

Bernhard Thaler (1):
  Revert "netfilter: ensure number of counters is >0 in do_replace()"

Dave Jones (1):
  netfilter: ensure number of counters is >0 in do_replace()

Florian Westphal (19):
  netfilter: x_tables: validate e->target_offset early
  netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
  netfilter: x_tables: fix unconditional helper
  netfilter: x_tables: don't move to non-existent next rule
  netfilter: x_tables: validate targets of jumps
  netfilter: x_tables: add and use xt_check_entry_offsets
  netfilter: x_tables: kill check_entry helper
  netfilter: x_tables: assert minimum target size
  netfilter: x_tables: add compat version of xt_check_entry_offsets
  netfilter: x_tables: check standard target size too
  netfilter: x_tables: check for bogus target offset
  netfilter: x_tables: validate all offsets and sizes in a rule
  netfilter: x_tables: don't reject valid target size on some
    architectures
  netfilter: arp_tables: simplify translate_compat_table args
  netfilter: ip_tables: simplify translate_compat_table args
  netfilter: ip6_tables: simplify translate_compat_table args
  netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
  netfilter: x_tables: do compat validation via translate_table
  netfilter: x_tables: introduce and use xt_copy_counters_from_user

 include/linux/netfilter/x_tables.h |  12 +-
 net/ipv4/netfilter/arp_tables.c    | 328 ++++++++++++---------------------
 net/ipv4/netfilter/ip_tables.c     | 360 ++++++++++++-------------------------
 net/ipv6/netfilter/ip6_tables.c    | 354 +++++++++++-------------------------
 net/netfilter/x_tables.c           | 245 ++++++++++++++++++++++++-
 5 files changed, 580 insertions(+), 719 deletions(-)

More information about the kernel-team mailing list