From patchwork Sat Mar 18 03:46:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?6auY5bOw?= X-Patchwork-Id: 740576 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vlT144kw4z9s0Z for ; Sat, 18 Mar 2017 14:56:56 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751117AbdCRD4u (ORCPT ); Fri, 17 Mar 2017 23:56:50 -0400 Received: from SMTPBG352.QQ.COM ([183.57.50.167]:53577 "EHLO smtpbg352.qq.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751047AbdCRD4i (ORCPT ); Fri, 17 Mar 2017 23:56:38 -0400 X-Greylist: delayed 557 seconds by postgrey-1.27 at vger.kernel.org; Fri, 17 Mar 2017 23:56:10 EDT X-QQ-mid: bizesmtp9t1489808778tzuk1k4qc Received: from ikuai8.com (unknown [114.242.17.232]) by esmtp4.qq.com (ESMTP) with id ; Sat, 18 Mar 2017 11:46:11 +0800 (CST) X-QQ-SSF: 01400000002000F0FI40B00B0000000 X-QQ-FEAT: p/Y2uUKTrswmaajAYw2qh5E07z5LKjRI+GWFWazqlqEPcGsFh7tpWF18e1jGl WbHLGCD4ofGoI2rc18qkyoIy+hs+FjSzOoDJzDQP8TJOCn77F7CunFCYwT4n4wnbd9YmDip tSgKGddQ2J4oEbeyiWMn5IIz+jRRgLXnMZGEG7FsphmsHpCwV5Szw93CP+RbUE0dqi45Os9 U+haGtz8BuC+3qisenq1gxdcnm80L2HlHSJlrg7M0uUo2HjwKVstnA4cs22nOez7P98cTIk VPJN+MMCd7DvZD X-QQ-GoodBg: 2 From: fgao@ikuai8.com To: pablo@netfilter.org, netfilter-devel@vger.kernel.org, gfree.wind@gmail.com Cc: Gao Feng Subject: [PATCH nf 1/1] netfilter: ctlink: Fix one possible use-after-free in ctnetlink_create_expect Date: Sat, 18 Mar 2017 11:46:10 +0800 Message-Id: <1489808770-29622-1-git-send-email-fgao@ikuai8.com> X-Mailer: git-send-email 1.9.1 X-QQ-SENDSIZE: 520 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Gao Feng There is no rcu_read_lock during ctlink gets the helper and inserts the expectation. So there is one possible use-after-free issue when unload the helper module. For example: CPU1 CPU2 ctlink gets the helper helper module unload and remove all expectations insert the expectation Now there is one expectation which references one helper whose module is unloaded. Signed-off-by: Gao Feng --- net/netfilter/nf_conntrack_netlink.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 6806b5e..f6d1d63 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3133,23 +3133,27 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, return -ENOENT; ct = nf_ct_tuplehash_to_ctrack(h); + rcu_read_lock(); if (cda[CTA_EXPECT_HELP_NAME]) { const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); helper = __nf_conntrack_helper_find(helpname, u3, nf_ct_protonum(ct)); if (helper == NULL) { + rcu_read_unlock(); #ifdef CONFIG_MODULES if (request_module("nfct-helper-%s", helpname) < 0) { err = -EOPNOTSUPP; goto err_ct; } + rcu_read_lock(); helper = __nf_conntrack_helper_find(helpname, u3, nf_ct_protonum(ct)); if (helper) { err = -EAGAIN; - goto err_ct; + goto err_rcu; } + rcu_read_unlock(); #endif err = -EOPNOTSUPP; goto err_ct; @@ -3159,11 +3163,13 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); if (IS_ERR(exp)) { err = PTR_ERR(exp); - goto err_ct; + goto err_rcu; } err = nf_ct_expect_related_report(exp, portid, report); nf_ct_expect_put(exp); +err_rcu: + rcu_read_unlock(); err_ct: nf_ct_put(ct); return err;