lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20230703152256.GC7043@breakpoint.cc>
Date: Mon, 3 Jul 2023 17:22:56 +0200
From: Florian Westphal <fw@...len.de>
To: Florent Revest <revest@...omium.org>
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	bpf@...r.kernel.org, pablo@...filter.org, kadlec@...filter.org,
	fw@...len.de, davem@...emloft.net, edumazet@...gle.com,
	kuba@...nel.org, pabeni@...hat.com, kpsingh@...nel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH nf v2] netfilter: conntrack: Avoid nf_ct_helper_hash uses
 after free

Florent Revest <revest@...omium.org> wrote:
> If nf_conntrack_init_start() fails (for example due to a
> register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()
> clean-up path frees the nf_ct_helper_hash map.
> 
> When built with NF_CONNTRACK=y, further netfilter modules (e.g:
> netfilter_conntrack_ftp) can still be loaded and call
> nf_conntrack_helpers_register(), independently of whether nf_conntrack
> initialized correctly. This accesses the nf_ct_helper_hash dangling
> pointer and causes a uaf, possibly leading to random memory corruption.
> 
> This patch guards nf_conntrack_helper_register() from accessing a freed
> or uninitialized nf_ct_helper_hash pointer and fixes possible
> uses-after-free when loading a conntrack module.

Reviewed-by: Florian Westphal <fw@...len.de>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ