Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5033293pxb; Mon, 15 Feb 2021 07:51:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJz2pfZyTlmHJ0JVXUoiONaToBbzssyT79txx1UdZqPnMEGHM8jTOj4310mwB72SECr47ggi X-Received: by 2002:a50:b765:: with SMTP id g92mr16413030ede.317.1613404286331; Mon, 15 Feb 2021 07:51:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613404286; cv=none; d=google.com; s=arc-20160816; b=L39w5Faw2+QuHw4hgT07TpkjhutLz53s0uAbkKkjjPwCfsYnsFnppZIV8jqvM5oRNG 8qXLURlRV22r4fyQR/EI3v6pi1Bhb+qWlUL6hUB5L266nCVR9OHZMCed9VwlXEApSL+A znETlrRDMbDM9o9Y5+jqtzme7K/YNocVbgLwV+lZWWFKM9mITXS6zUd8iATahGQPaKK8 MdjqPpgUdCTJfGnXtTKvLLQZ0Ix+2dInPv7LxWYYYIcqxjYPDJbOmuwU31AkcOxnzfdT +yTn3RYKKm+NtqqhDk1wolfc+U8Hb0KyXAnixOSE/zt1XX1hqrs7iSTqC/q79yhByvkv REJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zXtv+Aqat2BOfrTAX2JdrBYiHhnuOw1+dw8/78S2lbI=; b=ewV/zRDuXVEkupLdHgaScSgVxdiOys5gif9BOI2F2P+ueS4o/4ev0oJp0Jci8SdVOK crr3+g41jEu1XxPCQv/uvq70nHtwxqodmMF5lK/LMn9ZmOXpXRDd5SN5jg8np9GSb0O9 /tkJY1sNYRn/gV2TmZaGSoCZp/RuPzoIPSPPcP1mqtF02DDR1gFu5bgK/bhR7Qcoy2Xz mTyNiZgxXgcgOCVfTefnyJ6LNfSXFsX20LJwZUBkGfAeXaYLSkaShHaava2yTx7wDf+9 XJbnwevHwR8KYM9sMOqnK0vP9BoS3lh+MulFu56hNxIjDC4MZIfAztdBds6qL7HJsevN PQXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LGftQL4X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si3446184edt.403.2021.02.15.07.51.02; Mon, 15 Feb 2021 07:51:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LGftQL4X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231742AbhBOPrW (ORCPT + 99 others); Mon, 15 Feb 2021 10:47:22 -0500 Received: from mail.kernel.org ([198.145.29.99]:46652 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231210AbhBOPbO (ORCPT ); Mon, 15 Feb 2021 10:31:14 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id C97CC64E95; Mon, 15 Feb 2021 15:29:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613402946; bh=KA+GgUN8BxJ+1IPKWYr3fbSEfwMSQZIHIY9T93JIjDE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LGftQL4X4sSFJkhUqLmHRF4JiE5CzZBSXLyWJDZlLEKvSEfIb6KMvBsXJijpiznbg zyivn6qavkHrPbrTEd3G/Ok4juuJri9B7JZyGkNSAINc4JJNTWdmzz8AxckNQPndIj QFZ2K5n/taScOuL1bQ1w6xwGLUCTxH/R6mTlj91w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.4 30/60] netfilter: nftables: fix possible UAF over chains from packet path in netns Date: Mon, 15 Feb 2021 16:27:18 +0100 Message-Id: <20210215152716.316351297@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210215152715.401453874@linuxfoundation.org> References: <20210215152715.401453874@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit 767d1216bff82507c945e92fe719dff2083bb2f4 ] Although hooks are released via call_rcu(), chain and rule objects are immediately released while packets are still walking over these bits. This patch adds the .pre_exit callback which is invoked before synchronize_rcu() in the netns framework to stay safe. Remove a comment which is not valid anymore since the core does not use synchronize_net() anymore since 8c873e219970 ("netfilter: core: free hooks with call_rcu"). Suggested-by: Florian Westphal Fixes: df05ef874b28 ("netfilter: nf_tables: release objects on netns destruction") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 40216c2a7dd72..373ea0e49f12d 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -7696,6 +7696,17 @@ int __nft_release_basechain(struct nft_ctx *ctx) } EXPORT_SYMBOL_GPL(__nft_release_basechain); +static void __nft_release_hooks(struct net *net) +{ + struct nft_table *table; + struct nft_chain *chain; + + list_for_each_entry(table, &net->nft.tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_unregister_hook(net, table, chain); + } +} + static void __nft_release_tables(struct net *net) { struct nft_flowtable *flowtable, *nf; @@ -7711,10 +7722,6 @@ static void __nft_release_tables(struct net *net) list_for_each_entry_safe(table, nt, &net->nft.tables, list) { ctx.family = table->family; - - list_for_each_entry(chain, &table->chains, list) - nf_tables_unregister_hook(net, table, chain); - /* No packets are walking on these chains anymore. */ ctx.table = table; list_for_each_entry(chain, &table->chains, list) { ctx.chain = chain; @@ -7762,6 +7769,11 @@ static int __net_init nf_tables_init_net(struct net *net) return 0; } +static void __net_exit nf_tables_pre_exit_net(struct net *net) +{ + __nft_release_hooks(net); +} + static void __net_exit nf_tables_exit_net(struct net *net) { mutex_lock(&net->nft.commit_mutex); @@ -7774,8 +7786,9 @@ static void __net_exit nf_tables_exit_net(struct net *net) } static struct pernet_operations nf_tables_net_ops = { - .init = nf_tables_init_net, - .exit = nf_tables_exit_net, + .init = nf_tables_init_net, + .pre_exit = nf_tables_pre_exit_net, + .exit = nf_tables_exit_net, }; static int __init nf_tables_module_init(void) -- 2.27.0