Re: Patch "netfilter: nftables: fix possible UAF over chains from packet path in netns" has been added to the 4.19-stable tree

[Greg KH <greg@kroah.com>]

On Sun, Feb 14, 2021 at 11:29:55PM -0500, Sasha Levin wrote:
> This is a note to let you know that I've just added the patch titled
> 
>     netfilter: nftables: fix possible UAF over chains from packet path in netns
> 
> to the 4.19-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      netfilter-nftables-fix-possible-uaf-over-chains-from.patch
> and it can be found in the queue-4.19 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> 
> commit 142e293ce46a1c63cb167af6743e2b8abb6581df
> Author: Pablo Neira Ayuso <pablo@netfilter.org>
> Date:   Tue Feb 2 16:07:37 2021 +0100
> 
>     netfilter: nftables: fix possible UAF over chains from packet path in netns
>     
>     [ Upstream commit 767d1216bff82507c945e92fe719dff2083bb2f4 ]
>     
>     Although hooks are released via call_rcu(), chain and rule objects are
>     immediately released while packets are still walking over these bits.
>     
>     This patch adds the .pre_exit callback which is invoked before
>     synchronize_rcu() in the netns framework to stay safe.
>     
>     Remove a comment which is not valid anymore since the core does not use
>     synchronize_net() anymore since 8c873e219970 ("netfilter: core: free
>     hooks with call_rcu").
>     
>     Suggested-by: Florian Westphal <fw@strlen.de>
>     Fixes: df05ef874b28 ("netfilter: nf_tables: release objects on netns destruction")
>     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>     Signed-off-by: Sasha Levin <sashal@kernel.org>
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 9cc8e92f4b000..e669e20120446 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -7303,6 +7303,17 @@ int __nft_release_basechain(struct nft_ctx *ctx)
>  }
>  EXPORT_SYMBOL_GPL(__nft_release_basechain);
>  
> +static void __nft_release_hooks(struct net *net)
> +{
> +	struct nft_table *table;
> +	struct nft_chain *chain;
> +
> +	list_for_each_entry(table, &net->nft.tables, list) {
> +		list_for_each_entry(chain, &table->chains, list)
> +			nf_tables_unregister_hook(net, table, chain);
> +	}
> +}
> +
>  static void __nft_release_tables(struct net *net)
>  {
>  	struct nft_flowtable *flowtable, *nf;
> @@ -7318,10 +7329,6 @@ static void __nft_release_tables(struct net *net)
>  
>  	list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
>  		ctx.family = table->family;
> -
> -		list_for_each_entry(chain, &table->chains, list)
> -			nf_tables_unregister_hook(net, table, chain);
> -		/* No packets are walking on these chains anymore. */
>  		ctx.table = table;
>  		list_for_each_entry(chain, &table->chains, list) {
>  			ctx.chain = chain;
> @@ -7368,6 +7375,11 @@ static int __net_init nf_tables_init_net(struct net *net)
>  	return 0;
>  }
>  
> +static void __net_exit nf_tables_pre_exit_net(struct net *net)
> +{
> +	__nft_release_hooks(net);
> +}
> +
>  static void __net_exit nf_tables_exit_net(struct net *net)
>  {
>  	mutex_lock(&net->nft.commit_mutex);
> @@ -7379,8 +7391,9 @@ static void __net_exit nf_tables_exit_net(struct net *net)
>  }
>  
>  static struct pernet_operations nf_tables_net_ops = {
> -	.init	= nf_tables_init_net,
> -	.exit	= nf_tables_exit_net,
> +	.init		= nf_tables_init_net,
> +	.pre_exit	= nf_tables_pre_exit_net,
> +	.exit		= nf_tables_exit_net,
>  };
>  
>  static int __init nf_tables_module_init(void)

This breaks the build in 4.19.y, so I've dropped it.

Sasha, did it pass your builders?

thanks,

greg k-h