Hi Florian,
On Thu, 7 Mar 2019 20:30:41 +0100
Florian Westphal <fw@xxxxxxxxx> wrote:
> The abort path can cause a double-free of an (anon) set.
>
> Added-and-to-be-aborted rule looks like this:
>
> udp dport { 137, 138 } drop
>
> The to-be-aborted transaction list looks like this:
> newset
> newsetelem
> newsetelem
> rule
>
> This gets walked in reverse order, so first pass disables
> the rule, the set elements, then the set.
>
> After synchronize_rcu(), we then destroy those in same order:
> rule, set element, set element, newset.
>
> Problem is that the (anon) set has already been bound to the rule,
> so the rule (lookup expression destructor) already frees the set,
> when then cause use-after-free when trying to delete the elements
> from this set, then try to free the set again when handling the
> newset expression.
>
> To resolve this, check in first phase if the newset is bound already.
> If so, remove the newset transaction from the list, rule destructor
> will handle cleanup.
>
> This is still causes the use-after-free on set element removal.
> To handle this, move all affected set elements to a extra list
> and process it first.
>
> This forces strict 'destroy elements, then set' ordering.
>
> Fixes: f6ac8585897684 ("netfilter: nf_tables: unbind set in rule from commit path")
> Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
<snip>
Thank you. I can confirm that, after applying this patch, I am able to check - and load - my entire ruleset without incident.
--
Kerin Millar <kfm@xxxxxxxxxxxxx>
