Patch "netfilter: ebtables: fix table blob use-after-free" has been added to the 6.2-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netfilter: ebtables: fix table blob use-after-free

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-ebtables-fix-table-blob-use-after-free.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0bfa096f4f07ae233dc34fd5ca2006aa57475e5f
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Fri Feb 17 23:20:06 2023 +0100

    netfilter: ebtables: fix table blob use-after-free
    
    [ Upstream commit e58a171d35e32e6e8c37cfe0e8a94406732a331f ]
    
    We are not allowed to return an error at this point.
    Looking at the code it looks like ret is always 0 at this
    point, but its not.
    
    t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
    
    ... this can return a valid table, with ret != 0.
    
    This bug causes update of table->private with the new
    blob, but then frees the blob right away in the caller.
    
    Syzbot report:
    
    BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
    Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74
    Workqueue: netns cleanup_net
    Call Trace:
     kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
     __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
     ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372
     ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
     cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613
    ...
    
    ip(6)tables appears to be ok (ret should be 0 at this point) but make
    this more obvious.
    
    Fixes: c58dd2dd443c ("netfilter: Can't fail and free after table replacement")
    Reported-by: syzbot+f61594de72d6705aea03@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index ce5dfa3babd26..757ec46fc45a0 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1090,7 +1090,7 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
 
 	audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,
 			AUDIT_XT_OP_REPLACE, GFP_KERNEL);
-	return ret;
+	return 0;
 
 free_unlock:
 	mutex_unlock(&ebt_mutex);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 2ed7c58b471ac..aae5fd51dfd74 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1045,7 +1045,6 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 	struct xt_counters *counters;
 	struct ipt_entry *iter;
 
-	ret = 0;
 	counters = xt_counters_alloc(num_counters);
 	if (!counters) {
 		ret = -ENOMEM;
@@ -1091,7 +1090,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 		net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
 	}
 	vfree(counters);
-	return ret;
+	return 0;
 
  put_module:
 	module_put(t->me);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2d816277f2c5a..ac902f7bca477 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1062,7 +1062,6 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 	struct xt_counters *counters;
 	struct ip6t_entry *iter;
 
-	ret = 0;
 	counters = xt_counters_alloc(num_counters);
 	if (!counters) {
 		ret = -ENOMEM;
@@ -1108,7 +1107,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
 		net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
 	}
 	vfree(counters);
-	return ret;
+	return 0;
 
  put_module:
 	module_put(t->me);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux