Jordan Glover <Golden_Miller83@xxxxxxxxxxxxx> wrote:
> Starting from Linux 5.0rc5, executing 'iptables-restore' command
> causes 'refcount_t: increment on 0; use-after-free' warning.
> Those didn't occur on Linux 5.0rc4 and earlier. Below are two examples:
>
> Linux version 5.0.0-rc5 (builduser@chroot) (gcc version 8.2.1 20181127 (GCC)) #1 SMP PREEMPT
> ...
> ------------[ cut here ]------------
> refcount_t: increment on 0; use-after-free.
Bah. Its not UAF.
No idea how to fix this.
@@ -504,7 +507,11 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
return ret;
nft_xt = container_of(expr->ops, struct nft_xt, ops);
- refcount_inc(&nft_xt->refcnt);
+ if (refcount_read(&nft_xt->refcnt) == 0)
+ refcount_set(&nft_xt->refcnt, 1);
+ else
+ refcount_inc(&nft_xt->refcnt);
+
return 0;
... but thats just really ugly. Perhaps better to downgrade to atomic_t 8-/
