From patchwork Sun Apr 29 14:57:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 906364 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="DLWP3ZGa"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40YrPC0cpyz9ry1 for ; Mon, 30 Apr 2018 00:57:19 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753599AbeD2O5S (ORCPT ); Sun, 29 Apr 2018 10:57:18 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:42021 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753533AbeD2O5S (ORCPT ); Sun, 29 Apr 2018 10:57:18 -0400 Received: by mail-pf0-f196.google.com with SMTP id a11so4863442pfn.9 for ; Sun, 29 Apr 2018 07:57:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=7iLmMMFmYavpOj4y3nDSGOCAl5XqFxPRAJI3rHQiUWE=; b=DLWP3ZGaZ5BIKHvemiWmamULj1cCnONTf4QBKfPHy4BFDQxgTOR4nx/CImjDZCVvFr iGKZcdW9gk5VKxhrY0W5P0jlHA6COQmT1aF9doA2oToWpE40peI6j1FoNTRfSuFoBDjz WTsZED+pCNUYzK2swputGQgokkQXPl4W0YRIJgGWEFFt3L+D2IErpB8oTEZV8nuuaofy 09lX+Yk5rxIj+HlCUJ1HEaTqj+3oIROS2YfqYVQZkPt1TnRxS2xP8sVPLXEs5q4iMI9U wmLU7PQX7SlIWHZCbmXeU2epAqg/pdYzI7uSBCUHZAa+0zmvCLoT5oDFyUCP9cHT1or+ rxIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=7iLmMMFmYavpOj4y3nDSGOCAl5XqFxPRAJI3rHQiUWE=; b=hrrf4bRQ7kjv3mW1KWvGvzUyt58BQyp/OzRrcoZ5CckUaNdwlggWGmSHm4yi8/z2eR 74iWzbOT/6ie3Ew2YGtN0Eu5L5P1aMRZFqkRx4XWQ3czjCdi++XuTVUWvyU1wAxQF/KP 6kiBT2dGNzhBkl2mSY/WImkLEb19iAFbfRZkce044SZNqW8a5req8nD+hvo64LYe5cSA clPNaF7nVBl8m25TRDOMxgfBmHuI4yd5SsnUgZbNymgg7K1Naznj5CTWEaFDaiIpWHTV MAyi6kL8v91bo9fvo/NRLu5T6FlAlmfkqmJl09HywMHzhKpBrxJhlZmJs8S7yOuuU9cq dVAQ== X-Gm-Message-State: ALQs6tCHwVwOVe1hHzWqgTFYqzNSLoUWoZASYz1Z3ocqVVWrrEZJTiiq B2NZ05DS8u/EiGN7Od1MaNk= X-Google-Smtp-Source: AB8JxZpgoBbOvAOxFUe7mLjH8EMy5asI5lGNjI4xvEPLFl/sLq65UKjL6Hjq6ZNGiAZCc8K69Ig5Bg== X-Received: by 2002:a63:9711:: with SMTP id n17-v6mr7554841pge.171.1525013837720; Sun, 29 Apr 2018 07:57:17 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10]) by smtp.gmail.com with ESMTPSA id v23sm9984585pfe.166.2018.04.29.07.57.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Apr 2018 07:57:17 -0700 (PDT) From: Taehee Yoo To: pablo@netfilter.org, netfilter-devel@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH 3/3 nf-next] netfilter: nf_tables: fix use-after-free in nf_tables_rule_destroy Date: Sun, 29 Apr 2018 23:57:11 +0900 Message-Id: <20180429145711.13091-1-ap420073@gmail.com> X-Mailer: git-send-email 2.9.3 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org The nft_expr_ops might be freed in the nf_tables_expr_destroy but after this, a member of nft_expr_ops is used. Steps to reproduce: $iptables-compat -I OUTPUT -m cpu --cpu 0 $iptables-compat -F Signed-off-by: Taehee Yoo --- net/netfilter/nf_tables_api.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 981f35e..2ab23e3 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1873,7 +1873,7 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx, if (ops->init) { err = ops->init(ctx, expr, (const struct nlattr **)info->tb); if (err < 0) - goto err1; + return err; } if (ops->validate) { @@ -1881,16 +1881,14 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx, err = ops->validate(ctx, expr, &data); if (err < 0) - goto err2; + goto err; } return 0; -err2: +err: if (ops->destroy) ops->destroy(ctx, expr); -err1: - expr->ops = NULL; return err; } @@ -2233,16 +2231,13 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk, static void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) { - struct nft_expr *expr; + struct nft_expr *expr, *next; - /* - * Careful: some expressions might not be initialized in case this - * is called on error from nf_tables_newrule(). - */ expr = nft_expr_first(rule); - while (expr != nft_expr_last(rule) && expr->ops) { + while (expr != nft_expr_last(rule)) { + next = nft_expr_next(expr); nf_tables_expr_destroy(ctx, expr); - expr = nft_expr_next(expr); + expr = next; } kfree(rule); }