| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 May 2022 11:20:20 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net, netdev@...r.kernel.org, kuba@...nel.org,
pabeni@...hat.com
Subject: [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind
From: Florian Westphal <fw@...len.de>
syzbot reports following warn:
WARNING: CPU: 0 PID: 3600 at net/netfilter/nfnetlink.c:703 nfnetlink_unbind+0x357/0x3b0 net/netfilter/nfnetlink.c:694
The syzbot generated program does this:
socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = 3
setsockopt(3, SOL_NETLINK, NETLINK_DROP_MEMBERSHIP, [1], 4) = 0
... which triggers 'WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == 0)' check.
Instead of counting, just enable reporting for every bind request
and check if we still have listeners on unbind.
While at it, also add the needed bounds check on nfnl_group2type[]
access.
Reported-by: <syzbot+4903218f7fba0a2d6226@...kaller.appspotmail.com>
Reported-by: <syzbot+afd2d80e495f96049571@...kaller.appspotmail.com>
Fixes: 2794cdb0b97b ("netfilter: nfnetlink: allow to detect if ctnetlink listeners exist")
Signed-off-by: Florian Westphal <fw@...len.de>
Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
---
net/netfilter/nfnetlink.c | 24 +++++-------------------
1 file changed, 5 insertions(+), 19 deletions(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index ad3bbe34ca88..2f7c477fc9e7 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -45,7 +45,6 @@ MODULE_DESCRIPTION("Netfilter messages via netlink socket");
static unsigned int nfnetlink_pernet_id __read_mostly;
struct nfnl_net {
- unsigned int ctnetlink_listeners;
struct sock *nfnl;
};
@@ -673,18 +672,8 @@ static int nfnetlink_bind(struct net *net, int group)
#ifdef CONFIG_NF_CONNTRACK_EVENTS
if (type == NFNL_SUBSYS_CTNETLINK) {
- struct nfnl_net *nfnlnet = nfnl_pernet(net);
-
nfnl_lock(NFNL_SUBSYS_CTNETLINK);
-
- if (WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == UINT_MAX)) {
- nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
- return -EOVERFLOW;
- }
-
- nfnlnet->ctnetlink_listeners++;
- if (nfnlnet->ctnetlink_listeners == 1)
- WRITE_ONCE(net->ct.ctnetlink_has_listener, true);
+ WRITE_ONCE(net->ct.ctnetlink_has_listener, true);
nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
}
#endif
@@ -694,15 +683,12 @@ static int nfnetlink_bind(struct net *net, int group)
static void nfnetlink_unbind(struct net *net, int group)
{
#ifdef CONFIG_NF_CONNTRACK_EVENTS
- int type = nfnl_group2type[group];
-
- if (type == NFNL_SUBSYS_CTNETLINK) {
- struct nfnl_net *nfnlnet = nfnl_pernet(net);
+ if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX)
+ return;
+ if (nfnl_group2type[group] == NFNL_SUBSYS_CTNETLINK) {
nfnl_lock(NFNL_SUBSYS_CTNETLINK);
- WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == 0);
- nfnlnet->ctnetlink_listeners--;
- if (nfnlnet->ctnetlink_listeners == 0)
+ if (!nfnetlink_has_listeners(net, group))
WRITE_ONCE(net->ct.ctnetlink_has_listener, false);
nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
}
--
2.30.2
Powered by blists - more mailing lists