From: Pablo Neira Ayuso <pablo@netfilter.org>
To: michael-dev <michael-dev@fami-braun.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 3/3] datatype: fix double-free resulting in use-after-free in datatype_free
Date: Fri, 1 May 2020 22:30:13 +0200 [thread overview]
Message-ID: <20200501203013.GA29652@salvia> (raw)
In-Reply-To: <545922fa020689faa17dae656320fe58@fami-braun.de>
On Fri, May 01, 2020 at 09:59:35PM +0200, michael-dev wrote:
> Am 01.05.2020 21:27, schrieb Pablo Neira Ayuso:
> > On Fri, May 01, 2020 at 05:48:18PM +0200, Michael Braun wrote:
> > > + if (dtype == expr->dtype)
> > > + return; // do not free dtype before incrementing refcnt again
> >
> > The problem you describe (use-after-free) happens in this case, right?
>
> The problem is more likely due to concat_expr_parse_udata not calling
> datatype_get,
> because otherwise datatype_get would be in the backtrace of ASAN.
>
> >
> > datatype_set(expr, expr->dtype);
> >
> > Or am I missing anything?
>
> But while debugging the above output, I added assert(dtype != expr->dtype)
> here
> and that crashed. So I'm sure something like this is happening.
Right.
# nft add rule ip x y ct state new,established,related,untracked
# nft list ruleset
nft: datatype.c:1086: datatype_set: Assertion `expr->dtype != dtype' failed.
Aborted
> And the whole thing was nasty to debug, so I added this one just be sure it
> does not happen again.
>
> As ASAN should hit on datatype_get incrementing refcnt if datatype_free had
> actually freed it,
> assert was probaby not seeing an DTYPE_F_ALLOC instance.
> But I dig not deeper here, as I felt this return is safe to add.
I'm going to apply this. I think it's safe to turn this into noop.
next prev parent reply other threads:[~2020-05-01 20:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 15:48 [PATCH 1/3] main: fix ASAN -fsanizize=address error Michael Braun
2020-05-01 15:48 ` [PATCH 2/3] utils: fix UBSAN warning in fls Michael Braun
2020-05-01 19:18 ` Pablo Neira Ayuso
2020-05-01 15:48 ` [PATCH 3/3] datatype: fix double-free resulting in use-after-free in datatype_free Michael Braun
2020-05-01 19:27 ` Pablo Neira Ayuso
2020-05-01 19:59 ` michael-dev
2020-05-01 20:30 ` Pablo Neira Ayuso [this message]
2020-05-01 19:18 ` [PATCH 1/3] main: fix ASAN -fsanizize=address error Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200501203013.GA29652@salvia \
--to=pablo@netfilter.org \
--cc=michael-dev@fami-braun.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.