From patchwork Mon Dec 11 23:30:24 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Debabrata Banerjee <dbanerje@akamai.com>
X-Patchwork-Id: 847270
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	secure) header.d=akamai.com header.i=@akamai.com header.b="CkCOAHBG";
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3ywfPc0hV5z9s7m
	for <incoming@patchwork.ozlabs.org>;
	Tue, 12 Dec 2017 10:32:20 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751347AbdLKXcQ (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Mon, 11 Dec 2017 18:32:16 -0500
Received: from mx0b-00190b01.pphosted.com ([67.231.157.127]:40904 "EHLO
	mx0b-00190b01.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750759AbdLKXcO (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Mon, 11 Dec 2017 18:32:14 -0500
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1])
	by mx0b-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id
	vBBNW88N029705; Mon, 11 Dec 2017 23:32:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com;
	h=from : to : cc :
	subject : date : message-id; s=jan2016.eng;
	bh=WVhbznStvWt8+KZ/EJ04DPWcSxrGaqNF/5r3bttcY6c=;
	b=CkCOAHBGsN5ZPaRv9K13ciJuKdCJhke7yIJa/fL9RwOVyCEdGmTH5VxOHKSqJTfLZbaN
	CWZdmJ8BakugQrKYUUYmPxBRiQizBZxdLLNl0ZgrV++lYVO+vXag9ERl6/720XhAUpPT
	taKc4ITcu9TfCYgtZUccgEZq0jSUSQ1kuqm1AWIbtcUiJDJb+6AsloBRgp5YZGCDphAd
	eueekhh57D7lTrc+DLZrb5s60s71KnOnHf7Q1G2nT+kgGU8aNceJsKrv69/oktUHc1Jh
	9wVyO1bt3cYVxoQy8ZTQdMZC39R2FnD1i32TwhjKI/C2ZvoW4FVxdBI3fw00QSPyq+mz
	Tg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com
	[184.51.33.18])
	by mx0b-00190b01.pphosted.com with ESMTP id 2er8bwxw4j-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NOT); Mon, 11 Dec 2017 23:32:08 +0000
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1])
	by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id
	vBBNUku0009361; Mon, 11 Dec 2017 18:32:07 -0500
Received: from prod-mail-relay11.akamai.com ([172.27.118.250])
	by prod-mail-ppoint1.akamai.com with ESMTP id 2erc20sj6t-1;
	Mon, 11 Dec 2017 18:32:07 -0500
Received: from bos-lpxjs (bos-lpxjs.kendall.corp.akamai.com [172.28.12.239])
	by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 1FC7D33ECB;
	Mon, 11 Dec 2017 23:32:07 +0000 (GMT)
Received: from dbanerje by bos-lpxjs with local (Exim 4.82)
	(envelope-from <dbanerje@akamai.com>)
	id 1eOXYN-0005Ep-2g; Mon, 11 Dec 2017 18:32:07 -0500
From: Debabrata Banerjee <dbanerje@akamai.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: "David S . Miller" <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, stable@vger.kernel.org, dbanerje@akamai.com
Subject: [PATCH] Fix handling of verdicts after NF_QUEUE
Date: Mon, 11 Dec 2017 18:30:24 -0500
Message-Id: <20171211233024.18303-1-dbanerje@akamai.com>
X-Mailer: git-send-email 2.15.1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-12-11_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	suspectscore=0 malwarescore=0
	phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=811
	adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1711220000 definitions=main-1712110333
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-12-11_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	priorityscore=1501 malwarescore=0
	suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011
	lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=794
	adultscore=0
	classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1711220000
	definitions=main-1712110333
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

A verdict of NF_STOLEN after NF_QUEUE will cause an incorrect return value
and a potential kernel panic via double free of skb's

This was broken by commit 7034b566a4e7 ("netfilter: fix nf_queue handling")
and subsequently fixed in v4.10 by commit c63cbc460419 ("netfilter:
use switch() to handle verdict cases from nf_hook_slow()"). However that
commit cannot be cleanly cherry-picked to v4.9

Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
---

This fix is only needed for v4.9 stable since v4.10+ does not have the
issue
---
 net/netfilter/core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 004af030ef1a..d869ea50623e 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -364,6 +364,11 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
 		ret = nf_queue(skb, state, &entry, verdict);
 		if (ret == 1 && entry)
 			goto next_hook;
+	} else {
+		/* Implicit handling for NF_STOLEN, as well as any other
+		 * non conventional verdicts.
+		 */
+		ret = 0;
 	}
 	return ret;
 }