[PATCH AUTOSEL 4.19 70/81] netfilter: nf_tables: use-after-free in dynamic operations

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Sasha Levin <alexander.levin@microsoft.com>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 70/81] netfilter: nf_tables: use-after-free in dynamic operations
Date: Tue,  7 May 2019 01:35:41 -0400	[thread overview]
Message-ID: <20190507053554.30848-70-sashal@kernel.org> (raw)
In-Reply-To: <20190507053554.30848-1-sashal@kernel.org>

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit 3f3a390dbd59d236f62cff8e8b20355ef7069e3d ]

Smatch reports:

       net/netfilter/nf_tables_api.c:2167 nf_tables_expr_destroy()
        error: dereferencing freed memory 'expr->ops'

net/netfilter/nf_tables_api.c
    2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
    2163                                   struct nft_expr *expr)
    2164 {
    2165        if (expr->ops->destroy)
    2166                expr->ops->destroy(ctx, expr);
                                                ^^^^
--> 2167        module_put(expr->ops->type->owner);
                           ^^^^^^^^^
    2168 }

Smatch says there are three functions which free expr->ops.

Fixes: b8e204006340 ("netfilter: nft_compat: use .release_ops and remove list of extension")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 net/netfilter/nf_tables_api.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f272f9538c44..ef7ff13a7b99 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2113,9 +2113,11 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx,
 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
 				   struct nft_expr *expr)
 {
+	const struct nft_expr_type *type = expr->ops->type;
+
 	if (expr->ops->destroy)
 		expr->ops->destroy(ctx, expr);
-	module_put(expr->ops->type->owner);
+	module_put(type->owner);
 }
 
 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
-- 
2.20.1

next prev parent reply	other threads:[~2019-05-07  5:56 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20190507053554.30848-1-sashal@kernel.org>
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 11/81] mac80211: fix unaligned access in mesh table hash function Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 12/81] mac80211: Increase MAX_MSG_LEN Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 13/81] cfg80211: Handle WMM rules in regulatory domain intersection Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 14/81] mac80211: fix memory accounting with A-MSDU aggregation Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 15/81] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 18/81] mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 23/81] selftests: fib_tests: Fix 'Command line is not complete' errors Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 24/81] mISDN: Check address length before reading address family Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 25/81] vxge: fix return of a free'd memblock on a failed dma mapping Sasha Levin
2019-05-07  5:34 ` [PATCH AUTOSEL 4.19 26/81] qede: fix write to free'd pointer error and double free of ptp Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 38/81] ocelot: Don't sleep in atomic context (irqs_disabled()) Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 44/81] ipvs: do not schedule icmp errors from tunnels Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 45/81] netfilter: ctnetlink: don't use conntrack/expect object addresses as id Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 46/81] netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook() Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 51/81] selftests/net: correct the return value for run_netsocktests Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 52/81] netfilter: fix nf_l4proto_log_invalid to log invalid packets Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 56/81] spi: Micrel eth switch: declare missing of table Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 66/81] net: dsa: mv88e6xxx: fix few issues in mv88e6390x_port_set_cmode Sasha Levin
2019-05-07  5:35 ` Sasha Levin [this message]
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 71/81] netfilter: nf_tables: add missing ->release_ops() in error path of newrule() Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 72/81] net: fec: manage ahb clock in runtime pm Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 73/81] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 74/81] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 75/81] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 76/81] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 77/81] net/tls: fix the IV leaks Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 78/81] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 79/81] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Sasha Levin
2019-05-07  5:35 ` [PATCH AUTOSEL 4.19 80/81] nfc: nci: Potential off by one in ->pipes[] array Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f272f9538c4 dfblob:ef7ff13a7b9 )
 OR (
bs:"[PATCH AUTOSEL 4.19 70/81] netfilter: nf_tables: use-after-free in dynamic operations" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190507053554.30848-70-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=alexander.levin@microsoft.com \
    --cc=coreteam@netfilter.org \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).