Forwarding this reply to nf-devel, it was not included in the CC. Just
for the record.
----- Forwarded message from Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> -----
Date: Sun, 4 May 2014 13:33:57 +0200
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
To: Denys Fedoryshchenko <nuclearcat@xxxxxxxxxxxxxx>
Cc: netdev@xxxxxxxxxxxxxxx, kaber@xxxxxxxxx, kadlec@xxxxxxxxxxxxxxxxx
Subject: Re: nft 2.0, NULL pointer dereference in 3.14.1
User-Agent: Mutt/1.5.21 (2010-09-15)
On Sun, May 04, 2014 at 10:25:58AM +0300, Denys Fedoryshchenko wrote:
> Hi
>
> I bit more debugging and found that problem is happening at:
>
> >sock = netlink_lookup(sock_net(ssk), ssk->sk_protocol, portid);
>
> ssk is NULL
>
> After checking, i noticed in nfnetlink.c
> nfnetlink_rcv_batch() function
>
> We have
> nskb->sk = oskb->sk;
> skb = nskb;
>
> I am matching condition
> ss = rcu_dereference_protected(table[subsys_id].subsys,
> lockdep_is_held(&table[subsys_id].mutex));
> if (!ss) {
>
> And then
> nfnl_unlock(subsys_id);
> kfree_skb(nskb);
> return netlink_ack(skb, nlh, -EOPNOTSUPP);
>
> If i am not wrong, nskb same pointer as skb, so we are giving
> netlink_ack freed pointer?
> Is it "use after free()" ?
Right, this is an embarrasing use after free when no nf_tables support
has been selected / modules are not available.
> If yes, then it seems attached patch fixing my issue. Please let me
> know, if it is ok and i should submit it.
I'm going to take this, but please next time use git format-patch and
include your Signed-off-by tag. If you feel the patch is not complete
in some aspect or that you may be missing anything, just include the
RFC tag in the subject.
Thanks Denys!
----- End forwarded message -----
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
