lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 4 May 2014 13:33:57 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	Denys Fedoryshchenko <nuclearcat@...learcat.com>
Cc:	netdev@...r.kernel.org, kaber@...sh.net, kadlec@...ckhole.kfki.hu
Subject: Re: nft 2.0, NULL pointer dereference in 3.14.1

On Sun, May 04, 2014 at 10:25:58AM +0300, Denys Fedoryshchenko wrote:
> Hi
> 
> I bit more debugging and found that problem is happening at:
> 
> >sock = netlink_lookup(sock_net(ssk), ssk->sk_protocol, portid);
> 
> ssk is NULL
> 
> After checking, i noticed in nfnetlink.c
> nfnetlink_rcv_batch() function
> 
> We have
> nskb->sk = oskb->sk;
> skb = nskb;
> 
> I am matching condition
> ss = rcu_dereference_protected(table[subsys_id].subsys,
>        lockdep_is_held(&table[subsys_id].mutex));
> if (!ss) {
> 
> And then
> nfnl_unlock(subsys_id);
> kfree_skb(nskb);
> return netlink_ack(skb, nlh, -EOPNOTSUPP);
> 
> If i am not wrong, nskb same pointer as skb, so we are giving
> netlink_ack freed pointer?
> Is it "use after free()" ?

Right, this is an embarrasing use after free when no nf_tables support
has been selected / modules are not available.

> If yes, then it seems attached patch fixing my issue. Please let me
> know, if it is ok and i should submit it.

I'm going to take this, but please next time use git format-patch and
include your Signed-off-by tag. If you feel the patch is not complete
in some aspect or that you may be missing anything, just include the
RFC tag in the subject.

Thanks Denys!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists