Patch "netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 10 Jun 2023 22:08:02 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-conntrack-fix-null-pointer-dereference-in-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2d451b88e38b4838eb668e9d8b20d3e08cdfa728
Author: Tijs Van Buggenhout <tijs.van.buggenhout@xxxxxxxxxxxx>
Date:   Thu May 25 12:25:26 2023 +0200

    netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
    
    [ Upstream commit e1f543dc660b44618a1bd72ddb4ca0828a95f7ad ]
    
    An nf_conntrack_helper from nf_conn_help may become NULL after DNAT.
    
    Observed when TCP port 1720 (Q931_PORT), associated with h323 conntrack
    helper, is DNAT'ed to another destination port (e.g. 1730), while
    nfqueue is being used for final acceptance (e.g. snort).
    
    This happenned after transition from kernel 4.14 to 5.10.161.
    
    Workarounds:
     * keep the same port (1720) in DNAT
     * disable nfqueue
     * disable/unload h323 NAT helper
    
    $ linux-5.10/scripts/decode_stacktrace.sh vmlinux < /tmp/kernel.log
    BUG: kernel NULL pointer dereference, address: 0000000000000084
    [..]
    RIP: 0010:nf_conntrack_update (net/netfilter/nf_conntrack_core.c:2080 net/netfilter/nf_conntrack_core.c:2134) nf_conntrack
    [..]
    nfqnl_reinject (net/netfilter/nfnetlink_queue.c:237) nfnetlink_queue
    nfqnl_recv_verdict (net/netfilter/nfnetlink_queue.c:1230) nfnetlink_queue
    nfnetlink_rcv_msg (net/netfilter/nfnetlink.c:241) nfnetlink
    [..]
    
    Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
    Signed-off-by: Tijs Van Buggenhout <tijs.van.buggenhout@xxxxxxxxxxxx>
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index a0e9c7af08467..7960262966094 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2277,6 +2277,9 @@ static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
 		return 0;
 
 	helper = rcu_dereference(help->helper);
+	if (!helper)
+		return 0;
+
 	if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
 		return 0;
 






