lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue,  2 Jul 2024 19:28:14 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+4fd66a69358fc15ae2ad@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nf_tables_trans_destroy_work

On Mon, 01 Jul 2024 13:19:15 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    1c5fc27bc48a Merge tag 'nf-next-24-06-28' of git://git.ker..
> git tree:       net-next
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12cecb1e980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git  1c5fc27bc48a

--- x/include/net/netfilter/nf_tables.h
+++ y/include/net/netfilter/nf_tables.h
@@ -1281,6 +1281,7 @@ struct nft_table {
 	u64				hgenerator;
 	u64				handle;
 	u32				use;
+	atomic_t			cnt;
 	u16				family:6,
 					flags:8,
 					genmask:2;
--- x/net/netfilter/nf_tables_api.c
+++ y/net/netfilter/nf_tables_api.c
@@ -162,6 +162,8 @@ static struct nft_trans *nft_trans_alloc
 
 	trans->net = ctx->net;
 	trans->table = ctx->table;
+	if (trans->table)
+		atomic_inc(&trans->table->cnt);
 	trans->seq = ctx->seq;
 	trans->flags = ctx->flags;
 	trans->report = ctx->report;
@@ -1498,6 +1500,7 @@ static int nf_tables_newtable(struct sk_
 	if (err < 0)
 		goto err_trans;
 
+	atomic_inc(&table->cnt);
 	list_add_tail_rcu(&table->list, &nft_net->tables);
 	return 0;
 err_trans:
@@ -1663,6 +1666,8 @@ static int nf_tables_deltable(struct sk_
 
 static void nf_tables_table_destroy(struct nft_table *table)
 {
+	if (!atomic_dec_and_test(&table->cnt))
+		return;
 	if (WARN_ON(table->use > 0))
 		return;
 
@@ -9532,7 +9537,6 @@ static void nft_commit_release(struct nf
 	switch (trans->msg_type) {
 	case NFT_MSG_DELTABLE:
 	case NFT_MSG_DESTROYTABLE:
-		nf_tables_table_destroy(trans->table);
 		break;
 	case NFT_MSG_NEWCHAIN:
 		free_percpu(nft_trans_chain_stats(trans));
@@ -9572,6 +9576,9 @@ static void nft_commit_release(struct nf
 		break;
 	}
 
+	if (trans->table)
+		nf_tables_table_destroy(trans->table);
+
 	if (trans->put_net)
 		put_net(trans->net);
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ