Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp26297444rwd; Mon, 3 Jul 2023 07:55:53 -0700 (PDT) X-Google-Smtp-Source: APBJJlG9PuudQtMBzfc31ctHBFt5KdD8n/BqQc6mGtx9BeGbLApRKKOxEwD+OdgU0tyC5AufvtmW X-Received: by 2002:a17:902:d2cd:b0:1b5:64a4:bea0 with SMTP id n13-20020a170902d2cd00b001b564a4bea0mr10233228plc.10.1688396153303; Mon, 03 Jul 2023 07:55:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688396153; cv=none; d=google.com; s=arc-20160816; b=IGzt8rlVhvB8fRQsY6clxQ/xd1h4NnfNxBGWB8KGo6MfIqRFfsatMN653J0KTk9jDU tst2zslxa9DQD7/tg+mJWD7mA1+6rfLaBCn1brojFsbPAtxL6Kz2DJ2BOUBI9NZFazjM cpHAWFNf7hFeCztUlwNvJWgy1jzX4YDZkLiR0J2NJw36Ze3b428rpnXoinBIb29tSc3j Ag6lyoesI+9SjoenHD/uxrJ18F6N8wgrdC5CVCyRA7lbRsP2l7GaGNRVsQFI6v8gtmAb ghkAuI3zLRyvMVMYmI5+og4cbZznb7OhwGWZwU5NvCnX68eZkFNvPltTU/wMWuaMC/Vu 2yXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=DrA308we96oVwz/kgmxRDcKXJtyEBbepsNUANAmoIY0=; fh=29GC/RC0wliQ+3Z/4TGLXBkP+M+895SUPwj05wNBiUE=; b=Ba7qbl0wlw9w0vurFJbLU273lWY8+iCrE6CEhf/Jc15Gvwo5XLg9uBSeWLMpiniKT1 B9OV4rkpDVCvfDZBSF5OXNbsL+436RIuFR93wG8sV6wC4Q5k148FPfBePOlxg5r+pWVP HG5+PuwbjXs/zP6+Zl4k9obPhu32uugDZXImvTZ2SdnZtSgEbnKI7F5BJGqo/6O4rhn8 uze7rAmYWGKy0dTZl8AkPA8o3iTVtg6UjFiSh6bC7yor4roduUNK4KBPkUqEuBRl/Qjv OxgojLMwClW4Z5Pg6rbcSpwpB24dPHP3O5SlrXL0b5mvZm3p2IIR4Qkmf9GPeSB2jpLt nKig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ipef32BA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t13-20020a1709027fcd00b001b88ff83e45si3343143plb.571.2023.07.03.07.55.40; Mon, 03 Jul 2023 07:55:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ipef32BA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229905AbjGCOnC (ORCPT + 99 others); Mon, 3 Jul 2023 10:43:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231223AbjGCOmv (ORCPT ); Mon, 3 Jul 2023 10:42:51 -0400 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD98C10E6 for ; Mon, 3 Jul 2023 07:42:42 -0700 (PDT) Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-55767141512so2301629a12.3 for ; Mon, 03 Jul 2023 07:42:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1688395362; x=1690987362; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DrA308we96oVwz/kgmxRDcKXJtyEBbepsNUANAmoIY0=; b=Ipef32BA2RNaBK8hQFCP5rn7/iZ5F+7/2ITqgBNoT//Pyxpw5oJDZHImVjcaj/f9cr oBov6aTuCU/uWiIANJI0IGAVCGW2NceXrknYsmfRXoEStDWuLTlj0WO1coDT98FpDZpd OoSbiBIH1+0SnVorEzx6R15ihrj8UvThvWlRA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688395362; x=1690987362; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DrA308we96oVwz/kgmxRDcKXJtyEBbepsNUANAmoIY0=; b=TzYUfK6/mVh2htRmNRlaQ6DenvKvZj795t3DpvVRi/qylUhmH2OzYJt7TY+fUyrl6S dhBXa7ZnfRPgwjWAAvfEriqMg5/7HdEneZkw1OoX8LEp9fybEiXHKKZ7Qhp7aN7hNrmV cYZb6Dbtv0RVSJKCnOJHtTVgCoylh6Z5614DoQ2yB/aK00u2FILD9EzbjUP07d1P9q3L dNWI7kHYq04bDkL29JpYKyB90+PRz5LK0u7wsmOijYNL5KfF2oRRHRc7yrr+LiaPEzDd H1OYGf4ZHw9C9fdWnIz86mxu0l4oue2yvUxWeaHYJlSxnprhiY3KyVWq2mGsgbuWxkwh uaCQ== X-Gm-Message-State: ABy/qLaRtUIM2U/JShCN5eO0e7uSKB6LWJ0hQlALwIve4Qx6uAj9TTb6 vPe91a51jUHRYkrpHNbhFR00JVDDgQwsK+Ipt5HqKA== X-Received: by 2002:a05:6a20:a128:b0:11a:c623:7849 with SMTP id q40-20020a056a20a12800b0011ac6237849mr10155512pzk.48.1688395361920; Mon, 03 Jul 2023 07:42:41 -0700 (PDT) MIME-Version: 1.0 References: <20230615152918.3484699-1-revest@chromium.org> <20230621111454.GB24035@breakpoint.cc> <20230621184738.GG24035@breakpoint.cc> In-Reply-To: <20230621184738.GG24035@breakpoint.cc> From: Florent Revest Date: Mon, 3 Jul 2023 16:42:30 +0200 Message-ID: Subject: Re: [PATCH nf] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free To: Florian Westphal Cc: Pablo Neira Ayuso , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, kadlec@netfilter.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, lirongqing@baidu.com, daniel@iogearbox.net, ast@kernel.org, kpsingh@kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 21, 2023 at 8:47=E2=80=AFPM Florian Westphal wro= te: > > Florent Revest wrote: > > > in this case an initcall is failing and I think panic is preferrable > > > to a kernel that behaves like NF_CONNTRACK_FTP=3Dn. > > > > In that case, it seems like what you'd want is > > nf_conntrack_standalone_init() to BUG() instead of returning an error > > then ? (so you'd never get to NF_CONNTRACK_FTP or any other if > > nf_conntrack failed to initialize) If this is the prefered behavior, > > then sure, why not. > > > > > AFAICS this problem is specific to NF_CONNTRACK_FTP=3Dy > > > (or any other helper module, for that matter). > > > > Even with NF_CONNTRACK_FTP=3Dm, the initialization failure in > > nf_conntrack_standalone_init() still happens. Therefore, the helper > > hashtable gets freed and when the nf_conntrack_ftp.ko module gets > > insmod-ed, it calls nf_conntrack_helpers_register() and this still > > causes a use-after-free. > > Can you send a v2 with a slightly reworded changelog? > > It should mention that one needs NF_CONNTRACK=3Dy, so that when > the failure happens during the initcall (as oposed to module insertion), > nf_conntrack_helpers_register() can fail cleanly without followup splat? Sure! :) On it.