Re: [PATCH v2 nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Mon, 20 Mar 2017 14:11:32 +0100

On Mon, Mar 20, 2017 at 09:06:22PM +0800, Gao Feng wrote:
> On Mon, Mar 20, 2017 at 8:50 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Mon, Mar 20, 2017 at 11:44:42AM +0100, Pablo Neira Ayuso wrote:
> >> > diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
> >> > index 6dc44d9..6c840af 100644
> >> > --- a/net/netfilter/nf_conntrack_helper.c
> >> > +++ b/net/netfilter/nf_conntrack_helper.c
> >> > @@ -130,6 +130,42 @@ static unsigned int helper_hash(const struct nf_conntrack_tuple *tuple)
> >> >     return NULL;
> >> >  }
> >> >
> >> > +static void
> >> > +nf_ct_remove_expect_refer_dying_module(const struct module *me)
> >> > +{
> >> > +   struct nf_conntrack_expect *exp;
> >> > +   const struct hlist_node *next;
> >> > +   u32 i;
> >> > +
> >> > +   if (!me)
> >> > +           return;
> >> > +
> >> > +   /* Make sure no one is still using the moudule unless
> >> > +    * its a connection in the hash.
> >> > +    */
> >> > +   synchronize_rcu();
> >> > +
> >> > +   /* Get rid of expectations */
> >> > +   spin_lock_bh(&nf_conntrack_expect_lock);
> >> > +   for (i = 0; i < nf_ct_expect_hsize; i++) {
> >> > +           hlist_for_each_entry_safe(exp, next,
> >> > +                                     &nf_ct_expect_hash[i], hnode) {
> >> > +                   struct nf_conn_help *master_help = nfct_help(exp->master);
> >> > +
> >> > +                   if ((master_help->helper && master_help->helper->me == me) ||
> >> > +                       (exp->helper && exp->helper->me == me) ||
> >> > +                       exp->expectfn_module == me) {
> >
> > Are you also sure this is correct?
> >
> > me can be nf_nat_sip, while exp->helper->me points to
> > nf_conntrack_sip.
> 
> I don't read the source codes of ctlink command.
> But it seems be correct from the kernel codes.
> 
> Please look at the function "ctnetlink_create_expect".
> 
>         if (cda[CTA_EXPECT_HELP_NAME]) {
>                 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
> 
>                 helper = __nf_conntrack_helper_find(helpname, u3,
>                                                     nf_ct_protonum(ct));
> The helper is got by cda[CTA_EXPECT_HELP_NAME].
> 
> Then go to the function ctnetlink_alloc_expect,
> 
>         if (cda[CTA_EXPECT_FN]) {
>                 const char *name = nla_data(cda[CTA_EXPECT_FN]);
>                 struct nf_ct_helper_expectfn *expfn;
> 
>                 expfn = nf_ct_helper_expectfn_find_by_name(name);
> The expfn is got by cda[CTA_EXPECT_FN].
> 
> So it is possible that the helper and expfn which they belongs to
> different modules.

ctnetlink is not the only path to create expressions.

We can also create expectations from the packet path, from the helper
itself.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html