lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250303105413.2938-1-hdanton@sina.com>
Date: Mon,  3 Mar 2025 18:54:12 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+5d8c5789c8cb076b2c25@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nf_tables_trans_destroy_work (2)

On Sun, 02 Mar 2025 03:57:27 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    03d38806a902 Merge tag 'thermal-6.14-rc5' of git://git.ker..
> git tree:       upstream
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=155128b7980000

#syz test

--- x/net/netfilter/nf_tables_api.c
+++ y/net/netfilter/nf_tables_api.c
@@ -10654,6 +10654,10 @@ static int nf_tables_commit(struct net *
 		mutex_unlock(&nft_net->commit_mutex);
 		return 0;
 	}
+	if (nft_net->flushed) {
+		mutex_unlock(&nft_net->commit_mutex);
+		return -EAGAIN;
+	}
 
 	nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
 
@@ -11251,6 +11255,7 @@ static int nf_tables_abort(struct net *n
 	else
 		nf_tables_module_autoload_cleanup(net);
 
+	nft_net->flushed = 0;
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return ret;
@@ -11854,6 +11859,7 @@ static int nft_rcv_nl_event(struct notif
 	gc_seq = nft_gc_seq_begin(nft_net);
 
 	nf_tables_trans_destroy_flush_work();
+	nft_net->flushed = 1;
 again:
 	list_for_each_entry(table, &nft_net->tables, list) {
 		if (nft_table_has_owner(table) &&
@@ -11903,6 +11909,7 @@ static int __net_init nf_tables_init_net
 	nft_net->base_seq = 1;
 	nft_net->gc_seq = 0;
 	nft_net->validate_state = NFT_VALIDATE_SKIP;
+	nft_net->flushed = 0;
 
 	return 0;
 }
--- x/include/net/netfilter/nf_tables.h
+++ y/include/net/netfilter/nf_tables.h
@@ -1915,6 +1915,7 @@ struct nftables_pernet {
 	unsigned int		base_seq;
 	unsigned int		gc_seq;
 	u8			validate_state;
+	u8			flushed;
 };
 
 extern unsigned int nf_tables_net_id;
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ