lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4c1e4e28-1dea-9750-348d-cb36bd5f5286@gmail.com>
Date:   Mon, 13 Feb 2023 14:42:26 +0800
From:   Hangyu Hua <hbh25y@...il.com>
To:     Florian Westphal <fw@...len.de>,
        Pablo Neira Ayuso <pablo@...filter.org>
Cc:     kadlec@...filter.org, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com,
        netfilter-devel@...r.kernel.org, coreteam@...filter.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: netfilter: fix possible refcount leak in
 ctnetlink_create_conntrack()

On 12/2/2023 20:53, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@...filter.org> wrote:
>>> One way would be to return 0 in that case (in
>>> nf_conntrack_hash_check_insert()).  What do you think?
>>
>> This is misleading to the user that adds an entry via ctnetlink?
>>
>> ETIMEDOUT also looks a bit confusing to report to userspace.
>> Rewinding: if the intention is to deal with stale conntrack extension,
>> for example, helper module has been removed while this entry was
>> added. Then, probably call EAGAIN so nfnetlink has a chance to retry
>> transparently?
> 
> Seems we first need to add a "bool *inserted" so we know when the ct
> entry went public.
>
I don't think so.

nf_conntrack_hash_check_insert(struct nf_conn *ct)
{
...
	/* The caller holds a reference to this object */
	refcount_set(&ct->ct_general.use, 2);			// [1]
	__nf_conntrack_hash_insert(ct, hash, reply_hash);
	nf_conntrack_double_unlock(hash, reply_hash);
	NF_CT_STAT_INC(net, insert);
	local_bh_enable();

	if (!nf_ct_ext_valid_post(ct->ext)) {
		nf_ct_kill(ct);					// [2]
		NF_CT_STAT_INC_ATOMIC(net, drop);
		return -ETIMEDOUT;
	}
...
}

We set ct->ct_general.use to 2 in nf_conntrack_hash_check_insert()([1]). 
nf_ct_kill willn't put the last refcount. So ct->master will not be 
freed in this way. But this means the situation not only causes 
ct->master's refcount leak but also releases ct whose refcount is still 
1 in nf_conntrack_free() (in ctnetlink_create_conntrack() err1).

I think it may be a good idea to set ct->ct_general.use to 0 after 
nf_ct_kill() ([2]) to put the caller's reference. What do you think?

Thanks,
Hangyu

> I'll also have a look at switching to a refcount based model for
> all extensions that reference external objects, this would avoid
> the entire problem, but thats likely more intrusive.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ