From patchwork Wed Jun 20 16:33:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 932333
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none)
	header.from=google.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="q8Ml5Nza"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 419r5B3NWhz9s3Z
	for <patchwork-incoming-netdev@ozlabs.org>;
	Thu, 21 Jun 2018 02:34:22 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754497AbeFTQdz (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 20 Jun 2018 12:33:55 -0400
Received: from mail-qt0-f202.google.com ([209.85.216.202]:38018 "EHLO
	mail-qt0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754454AbeFTQdx (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 20 Jun 2018 12:33:53 -0400
Received: by mail-qt0-f202.google.com with SMTP id p12-v6so135750qtg.5
	for <netdev@vger.kernel.org>; Wed, 20 Jun 2018 09:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:message-id:subject:from:to:cc;
	bh=DqmTyLnVHPCzJLIa+OMwdi01ZbF/3M1QtvmuXjucO80=;
	b=q8Ml5Nzaw1AureZJhKqxa+zwJpJeQ3caHd9B2hp/lwfn3ozKMrKk2YcIyhuSUx5dnK
	OYZ7rJ6iOVM+UBnJ23PuCjgHdPtSdGnkPR4JB465e1d+RIvMpp6xTQ0wyVkpWpcP6/7w
	G809vgADq59TlS9AyV/dxZ7+kuD1qeYK3RVu1upy1XSiwLlaX2UGO2iBvljJVOXaFQE/
	WPo/vuq2l2zDPDhhhsXtFKES4XMCAmliuLCI//kZTSMLcG90MnBCTcWyr/QptPvf4s/W
	b8GhF4uAHXUzkb/v1SR3LdVPofGggJMF5pjADGUZiv41S5cwdZNM/97LECtKeVtl5FyO
	J3bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc;
	bh=DqmTyLnVHPCzJLIa+OMwdi01ZbF/3M1QtvmuXjucO80=;
	b=PS39bVwB9hdCpl34U+W+OyPVWD+L9k/GywsJxHFI8f1HllKw1VtBC/v2op+Cej4hYY
	9UR3Q8wZPUSP6oQ5RGc4zf6/2nVac6qoRlnCflcFPJDWIGR7rkjpg6zzv+s9uwTXhvDk
	M7hqMcIKIeel4tbjamUczjun/ZX1YnZ8HIDH28svlEtY+3qBYcTS1WtBENPIw487sV3h
	2z/Zzm+UgY9iXj3xcOZ+JakZGJ5DaZJyx96Q/6gfMvigLcaDqc5Gzgy+7o3DyXvvifF+
	eyaPNd51SanHoubwn1zOjlMxYMGZoQxSkYH918bWQ6qnab4k4XpOnb1a2t87N/hlM2zh
	xRJg==
X-Gm-Message-State: APt69E379LdqBQBUKlkDBRHpywtb5DP9rBb26XDtkHbrOJtCsEsAyVmQ
	8oBZZo9KOInJWJBnTNbUbJz8wrry6A==
X-Google-Smtp-Source: 
 ADUXVKKDLIwady0setVnjehsCapyU5CA5GaMY9/C2X39C0HldHWGs/dHw254Zc40h7/gnnFj23WZSvdJog==
MIME-Version: 1.0
X-Received: by 2002:a0c:8b4a:: with SMTP id
	d10-v6mr11890635qvc.14.1529512432757;
	Wed, 20 Jun 2018 09:33:52 -0700 (PDT)
Date: Wed, 20 Jun 2018 18:33:45 +0200
Message-Id: <20180620163345.212776-1-jannh@google.com>
X-Mailer: git-send-email 2.18.0.rc1.244.gcf134e6275-goog
Subject: [PATCH net] netfilter: nf_log: fix uninit read in
	nf_log_proc_dostring
From: Jann Horn <jannh@google.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	Florian Westphal <fw@strlen.de>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org, jannh@google.com
Cc: "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When proc_dostring() is called with a non-zero offset in strict mode, it
doesn't just write to the ->data buffer, it also reads. Make sure it
doesn't read uninitialized data.

Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]")
Signed-off-by: Jann Horn <jannh@google.com>
---
 net/netfilter/nf_log.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 426457047578..2c47f9ec3511 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -424,6 +424,10 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
 	if (write) {
 		struct ctl_table tmp = *table;
 
+		/* proc_dostring() can append to existing strings, so we need to
+		 * initialize it as an empty string.
+		 */
+		buf[0] = '\0';
 		tmp.data = buf;
 		r = proc_dostring(&tmp, write, buffer, lenp, ppos);
 		if (r)