Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1822053imm; Mon, 3 Sep 2018 10:19:03 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdb7F1iexHcTReXCPAG4uMpiRHTB2d3BHgcnC/PWZ/gF8xXfCaz/OVcQQNXXJAyEqGTEiEsI X-Received: by 2002:a63:7c50:: with SMTP id l16-v6mr27195231pgn.311.1535995143729; Mon, 03 Sep 2018 10:19:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535995143; cv=none; d=google.com; s=arc-20160816; b=S5QKUSrl0f41fW8FrIIAKy81y0S7aOw1eFzz+BfaelHmRnXfpNDKD/yBH5ed5ZgIEf jYG8NRg2XglGPqHN02kknI3LgeOG07JKU7FWJuXqW7opYlfbjD+9ClFQU2tOpSbNHwXY 6nJAUpxOuKG06LbGK6JFOG6iFjJMysmtcYJajQx5jpS4eXpUnhy3B5/EZDkBiceOIzQI N5/t4s0LTKcTjjTrcWBVJK0moH/TZYrbDtVLPoMexQHXzXHd14ufU862gk6xtidUfLSY 4Fjkbg+aZ7wroRL2Dhy+Wt29/rxz/Nq9QoIoLDsRT/L9jahUVgsPXX5oEFm2yi1YpAmp 6iCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=TzQ5BGruCJC4uyZpNl4JOE4ej/x4ZwF1s84RV2jV+0g=; b=X7WFj1TSY4ngR00FbF6BrTmZG/7YE2Nk2Kc7P63FGh9OorNq66ExyZh9dTj5cBOcMN 8IqQuWzRolYU2O/9hrj+YbsKPexLyzqDxBSMm4UdwAgWS6qY+6A3rx+vFT/p7nEVBh1d YUrJSToBv8IO4sX3Xynw7YtpU2dMjc/lVC88vklEsbdnrMAgePoVvAFPOBKfqYogx2jQ MQ1PsGatOVG7odqBMhA3+LSJ6IjD2HCz12LwlQsyFgPaixwdX2iVyn2CR2D10E+gIO/u KSciDz78xqeCsMzx4nyhBLiPQJS69G/EtNyshEkolTh4JU/wtyPvWg2CLw9GCMo4+OiH VizQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s65-v6si18236555pfb.271.2018.09.03.10.18.48; Mon, 03 Sep 2018 10:19:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729965AbeICVhl (ORCPT + 99 others); Mon, 3 Sep 2018 17:37:41 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:42606 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728463AbeICVhk (ORCPT ); Mon, 3 Sep 2018 17:37:40 -0400 Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 390C4D02; Mon, 3 Sep 2018 17:16:36 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 030/165] netfilter: nf_tables: dont allow to rename to already-pending name Date: Mon, 3 Sep 2018 18:55:16 +0200 Message-Id: <20180903165656.599549018@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180903165655.003605184@linuxfoundation.org> References: <20180903165655.003605184@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal [ Upstream commit c6cc94df65c3174be92afbee638f11cbb5e606a7 ] Its possible to rename two chains to the same name in one transaction: nft add chain t c1 nft add chain t c2 nft 'rename chain t c1 c3;rename chain t c2 c3' This creates two chains named 'c3'. Appears to be harmless, both chains can still be deleted both by name or handle, but, nevertheless, its a bug. Walk transaction log and also compare vs. the pending renames. Both chains can still be deleted, but nevertheless it is a bug as we don't allow to create chains with identical names, so we should prevent this from happening-by-rename too. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_tables_api.c | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1480,7 +1480,6 @@ static int nf_tables_updchain(struct nft struct nft_base_chain *basechain; struct nft_stats *stats = NULL; struct nft_chain_hook hook; - const struct nlattr *name; struct nf_hook_ops *ops; struct nft_trans *trans; int err, i; @@ -1531,12 +1530,11 @@ static int nf_tables_updchain(struct nft return PTR_ERR(stats); } + err = -ENOMEM; trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, sizeof(struct nft_trans_chain)); - if (trans == NULL) { - free_percpu(stats); - return -ENOMEM; - } + if (trans == NULL) + goto err; nft_trans_chain_stats(trans) = stats; nft_trans_chain_update(trans) = true; @@ -1546,19 +1544,37 @@ static int nf_tables_updchain(struct nft else nft_trans_chain_policy(trans) = -1; - name = nla[NFTA_CHAIN_NAME]; - if (nla[NFTA_CHAIN_HANDLE] && name) { - nft_trans_chain_name(trans) = - nla_strdup(name, GFP_KERNEL); - if (!nft_trans_chain_name(trans)) { - kfree(trans); - free_percpu(stats); - return -ENOMEM; + if (nla[NFTA_CHAIN_HANDLE] && + nla[NFTA_CHAIN_NAME]) { + struct nft_trans *tmp; + char *name; + + err = -ENOMEM; + name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); + if (!name) + goto err; + + err = -EEXIST; + list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { + if (tmp->msg_type == NFT_MSG_NEWCHAIN && + tmp->ctx.table == table && + nft_trans_chain_update(tmp) && + nft_trans_chain_name(tmp) && + strcmp(name, nft_trans_chain_name(tmp)) == 0) { + kfree(name); + goto err; + } } + + nft_trans_chain_name(trans) = name; } list_add_tail(&trans->list, &ctx->net->nft.commit_list); return 0; +err: + free_percpu(stats); + kfree(trans); + return err; } static int nf_tables_newchain(struct net *net, struct sock *nlsk,