Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp7396426rwd; Tue, 20 Jun 2023 00:13:06 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4VEe7BQ4mug6y1cD8MZ2SA3fsMbchF2L8evhhYpnLCDSUnsua+yi+cKu+8JMM/Y8VDZYOO X-Received: by 2002:a17:902:e750:b0:1b5:5059:e764 with SMTP id p16-20020a170902e75000b001b55059e764mr2543300plf.50.1687245185982; Tue, 20 Jun 2023 00:13:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687245185; cv=none; d=google.com; s=arc-20160816; b=VidJDk5bdErEA3hXEo4rizIFdLZLHYt1hyDwo2M0/fJbHLttI2JeE1/d837AdgtWxd RaaoDFiLngXG81RKDLHyyK04Q/bmAFH+7o+ZAy+3F7RrNduO1gpML+uC+oKLqHI2I9/t ruQyO2iuAcMRDAmu1U5XPJ9KiKshCI1ADpl+FECIXgCyF0qL+rCzwXQbY+1cJFu9vnac ptP34DJ7UNmR7wDzuKgE8KAEW94uI24fOdB1oJ5mcg2pG7tOrnss8WnswDfktsJB9fNh CJG8qLdRdQLV6jxRA4FBJn3U1RQ/y/jORb1r4Gmx+Fg0N2w3mqHgS+GlFBz6FBy+vv7K B7RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=hzmubDb+4U5SBg7uyF4Hddiykg4oca1qacg0za2f88Y=; b=JRwDG6ZV+ZtoOdAkjM7OvYLinuBdOJ9754ZcLJDpyYV5VDF+ojcTYXgC6+G6QV8jNQ QZ3u+4F+TLequ/ojb/g/4rmTgUYilO2dZYE6hsJEZNCRioS2SCVlPBEmJUWInMSvdhqk Icomdb1c6IUx/MCIgHBFceMK+h6mAC6GsAAVR4lXGWxgI26GCcbQQzsK7BHL8E0WSRxh X49YqfjXBCvPvwhMeKzXfCvMJyRyvMETFnvB+XiKeCEpa0pZ1fQW56rbjkyPCYk2Qs9h ev7dElYT5Dl8QRvIbN838N20tnoi+S4N9T8k5L/lI2lUCtjl0rkiKSM6hAzO00SJNxIB jSgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kb11-20020a170903338b00b001ae3b512697si1307165plb.113.2023.06.20.00.12.53; Tue, 20 Jun 2023 00:13:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231186AbjFTGgD (ORCPT + 99 others); Tue, 20 Jun 2023 02:36:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230129AbjFTGgC (ORCPT ); Tue, 20 Jun 2023 02:36:02 -0400 Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D2586E6E; Mon, 19 Jun 2023 23:36:00 -0700 (PDT) Date: Tue, 20 Jun 2023 08:35:55 +0200 From: Pablo Neira Ayuso To: Florent Revest Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, lirongqing@baidu.com, wangli39@baidu.com, zhangyu31@baidu.com, daniel@iogearbox.net, ast@kernel.org, kpsingh@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH nf] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Message-ID: References: <20230615152918.3484699-1-revest@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20230615152918.3484699-1-revest@chromium.org> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 15, 2023 at 05:29:18PM +0200, Florent Revest wrote: > If register_nf_conntrack_bpf() fails (for example, if the .BTF section > contains an invalid entry), nf_conntrack_init_start() calls > nf_conntrack_helper_fini() as part of its cleanup path and > nf_ct_helper_hash gets freed. > > Further netfilter modules like netfilter_conntrack_ftp don't check > whether nf_conntrack initialized correctly and call > nf_conntrack_helpers_register() which accesses the freed > nf_ct_helper_hash and causes a uaf. > > This patch guards nf_conntrack_helper_register() from accessing > freed/uninitialized nf_ct_helper_hash maps and fixes a boot-time > use-after-free. How could this possibly happen? nf_conntrack_ftp depends on nf_conntrack. If nf_conntrack fails to load, how can nf_conntrack_ftp be loaded? > Cc: stable@vger.kernel.org > Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") > Signed-off-by: Florent Revest > --- > net/netfilter/nf_conntrack_helper.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c > index 0c4db2f2ac43..f22691f83853 100644 > --- a/net/netfilter/nf_conntrack_helper.c > +++ b/net/netfilter/nf_conntrack_helper.c > @@ -360,6 +360,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) > BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); > BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); > > + if (!nf_ct_helper_hash) > + return -ENOENT; > + > if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) > return -EINVAL; > > @@ -515,4 +518,5 @@ int nf_conntrack_helper_init(void) > void nf_conntrack_helper_fini(void) > { > kvfree(nf_ct_helper_hash); > + nf_ct_helper_hash = NULL; > } > -- > 2.41.0.162.gfafddb0af9-goog >