lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <61f38f9c-2a1f-b9a8-251b-567b7642a190@gmail.com>
Date:   Mon, 13 Feb 2023 16:48:17 +0800
From:   Hangyu Hua <hbh25y@...il.com>
To:     Florian Westphal <fw@...len.de>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>, kadlec@...filter.org,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: netfilter: fix possible refcount leak in
 ctnetlink_create_conntrack()

On 13/2/2023 16:17, Florian Westphal wrote:
> Hangyu Hua <hbh25y@...il.com> wrote:
>> On 12/2/2023 20:53, Florian Westphal wrote:
>>> Pablo Neira Ayuso <pablo@...filter.org> wrote:
>>>>> One way would be to return 0 in that case (in
>>>>> nf_conntrack_hash_check_insert()).  What do you think?
>>>>
>>>> This is misleading to the user that adds an entry via ctnetlink?
>>>>
>>>> ETIMEDOUT also looks a bit confusing to report to userspace.
>>>> Rewinding: if the intention is to deal with stale conntrack extension,
>>>> for example, helper module has been removed while this entry was
>>>> added. Then, probably call EAGAIN so nfnetlink has a chance to retry
>>>> transparently?
>>>
>>> Seems we first need to add a "bool *inserted" so we know when the ct
>>> entry went public.
>>>
>> I don't think so.
>>
>> nf_conntrack_hash_check_insert(struct nf_conn *ct)
>> {
>> ...
>> 	/* The caller holds a reference to this object */
>> 	refcount_set(&ct->ct_general.use, 2);			// [1]
>> 	__nf_conntrack_hash_insert(ct, hash, reply_hash);
>> 	nf_conntrack_double_unlock(hash, reply_hash);
>> 	NF_CT_STAT_INC(net, insert);
>> 	local_bh_enable();
>>
>> 	if (!nf_ct_ext_valid_post(ct->ext)) {
>> 		nf_ct_kill(ct);					// [2]
>> 		NF_CT_STAT_INC_ATOMIC(net, drop);
>> 		return -ETIMEDOUT;
>> 	}
>> ...
>> }
>>
>> We set ct->ct_general.use to 2 in nf_conntrack_hash_check_insert()([1]).
>> nf_ct_kill willn't put the last refcount. So ct->master will not be freed in
>> this way. But this means the situation not only causes ct->master's refcount
>> leak but also releases ct whose refcount is still 1 in nf_conntrack_free()
>> (in ctnetlink_create_conntrack() err1).
> 
> at [2] The refcount could be > 1, as entry became public.  Other CPU
> might have obtained a reference.
> 
>> I think it may be a good idea to set ct->ct_general.use to 0 after
>> nf_ct_kill() ([2]) to put the caller's reference. What do you think?
> 
> We can't, see above.  We need something similar to this (not even compile
> tested):
> 

I see. This patch look good to me. Do I need to make a v2 like this one? 
Or you guys can handle this.

Thanks,
Hangyu

> diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
> index 24002bc61e07..b9e0e01dae43 100644
> --- a/net/netfilter/nf_conntrack_bpf.c
> +++ b/net/netfilter/nf_conntrack_bpf.c
> @@ -379,12 +379,16 @@ bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
>   struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
>   {
>   	struct nf_conn *nfct = (struct nf_conn *)nfct_i;
> +	bool inserted;
>   	int err;
>   
>   	nfct->status |= IPS_CONFIRMED;
> -	err = nf_conntrack_hash_check_insert(nfct);
> +	err = nf_conntrack_hash_check_insert(nfctm, &inserted);
>   	if (err < 0) {
> -		nf_conntrack_free(nfct);
> +		if (inserted)
> +			nf_ct_put(nfct);
> +		else
> +			nf_conntrack_free(nfct);
>   		return NULL;
>   	}
>   	return nfct;
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index 496c4920505b..5f7b1fd744ef 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -872,7 +872,7 @@ static bool nf_ct_ext_valid_post(struct nf_ct_ext *ext)
>   }
>   
>   int
> -nf_conntrack_hash_check_insert(struct nf_conn *ct)
> +nf_conntrack_hash_check_insert(struct nf_conn *ct, bool *inserted)
>   {
>   	const struct nf_conntrack_zone *zone;
>   	struct net *net = nf_ct_net(ct);
> @@ -884,12 +884,11 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct)
>   	unsigned int sequence;
>   	int err = -EEXIST;
>   
> +	*inserted = false;
>   	zone = nf_ct_zone(ct);
>   
> -	if (!nf_ct_ext_valid_pre(ct->ext)) {
> -		NF_CT_STAT_INC_ATOMIC(net, insert_failed);
> -		return -ETIMEDOUT;
> -	}
> +	if (!nf_ct_ext_valid_pre(ct->ext))
> +		return -EAGAIN;
>   
>   	local_bh_disable();
>   	do {
> @@ -924,6 +923,7 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct)
>   			goto chaintoolong;
>   	}
>   
> +	*inserted = true;
>   	smp_wmb();
>   	/* The caller holds a reference to this object */
>   	refcount_set(&ct->ct_general.use, 2);
> @@ -934,8 +934,7 @@ nf_conntrack_hash_check_insert(struct nf_conn *ct)
>   
>   	if (!nf_ct_ext_valid_post(ct->ext)) {
>   		nf_ct_kill(ct);
> -		NF_CT_STAT_INC_ATOMIC(net, drop);
> -		return -ETIMEDOUT;
> +		return -EAGAIN;
>   	}
>   
>   	return 0;
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 1286ae7d4609..7ada6350c34d 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2244,8 +2244,10 @@ ctnetlink_create_conntrack(struct net *net,
>   	int err = -EINVAL;
>   	struct nf_conntrack_helper *helper;
>   	struct nf_conn_tstamp *tstamp;
> +	bool inserted;
>   	u64 timeout;
>   
> +restart:
>   	ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
>   	if (IS_ERR(ct))
>   		return ERR_PTR(-ENOMEM);
> @@ -2373,10 +2375,26 @@ ctnetlink_create_conntrack(struct net *net,
>   	if (tstamp)
>   		tstamp->start = ktime_get_real_ns();
>   
> -	err = nf_conntrack_hash_check_insert(ct);
> -	if (err < 0)
> -		goto err2;
> +	err = nf_conntrack_hash_check_insert(ct, &inserted);
> +	if (err < 0) {
> +		if (inserted) {
> +			nf_ct_put(ct);
> +			rcu_read_unlock();
> +			if (err == -EAGAIN)
> +				goto restart;
> +			return err;
> +		}
>   
> +		if (ct->master)
> +			nf_ct_put(ct->master);
> +
> +		if (err == -EAGAIN) {
> +			rcu_read_unlock();
> +			nf_conntrack_free(ct);
> +			goto restart;
> +		}
> +		goto err2;
> +	}
>   	rcu_read_unlock();
>   
>   	return ct;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ