2013-10-13 16:06:06 -06:00
|
|
|
/*
|
|
|
|
* (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* This software has been sponsored by Sophos Astaro <http://www.sophos.com>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/netlink.h>
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
#include <linux/netfilter/nf_tables.h>
|
|
|
|
#include <linux/netfilter/nf_tables_compat.h>
|
|
|
|
#include <linux/netfilter/x_tables.h>
|
|
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
|
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
2015-01-29 11:34:42 -07:00
|
|
|
#include <linux/netfilter_bridge/ebtables.h>
|
2015-02-16 03:32:28 -07:00
|
|
|
#include <linux/netfilter_arp/arp_tables.h>
|
2013-10-13 16:06:06 -06:00
|
|
|
#include <net/netfilter/nf_tables.h>
|
|
|
|
|
2016-07-23 02:00:32 -06:00
|
|
|
struct nft_xt {
|
|
|
|
struct list_head head;
|
|
|
|
struct nft_expr_ops ops;
|
|
|
|
unsigned int refcnt;
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
|
|
|
|
/* Unlike other expressions, ops doesn't have static storage duration.
|
|
|
|
* nft core assumes they do. We use kfree_rcu so that nft core can
|
|
|
|
* can check expr->ops->size even after nft_compat->destroy() frees
|
|
|
|
* the nft_xt struct that holds the ops structure.
|
|
|
|
*/
|
|
|
|
struct rcu_head rcu_head;
|
2016-07-23 02:00:32 -06:00
|
|
|
};
|
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
static bool nft_xt_put(struct nft_xt *xt)
|
2016-07-23 02:00:32 -06:00
|
|
|
{
|
|
|
|
if (--xt->refcnt == 0) {
|
|
|
|
list_del(&xt->head);
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
kfree_rcu(xt, rcu_head);
|
|
|
|
return true;
|
2016-07-23 02:00:32 -06:00
|
|
|
}
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
|
|
|
|
return false;
|
2016-07-23 02:00:32 -06:00
|
|
|
}
|
|
|
|
|
2014-10-14 02:13:48 -06:00
|
|
|
static int nft_compat_chain_validate_dependency(const char *tablename,
|
|
|
|
const struct nft_chain *chain)
|
|
|
|
{
|
|
|
|
const struct nft_base_chain *basechain;
|
|
|
|
|
2017-03-20 11:10:29 -06:00
|
|
|
if (!tablename ||
|
|
|
|
!nft_is_base_chain(chain))
|
2014-10-14 02:13:48 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
basechain = nft_base_chain(chain);
|
2014-11-10 12:53:55 -07:00
|
|
|
if (strcmp(tablename, "nat") == 0 &&
|
|
|
|
basechain->type->type != NFT_CHAIN_T_NAT)
|
2014-10-14 02:13:48 -06:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
union nft_entry {
|
|
|
|
struct ipt_entry e4;
|
|
|
|
struct ip6t_entry e6;
|
2015-01-29 11:34:42 -07:00
|
|
|
struct ebt_entry ebt;
|
2015-02-16 03:32:28 -07:00
|
|
|
struct arpt_entry arp;
|
2013-10-13 16:06:06 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
nft_compat_set_par(struct xt_action_param *par, void *xt, const void *xt_info)
|
|
|
|
{
|
|
|
|
par->target = xt;
|
|
|
|
par->targinfo = xt_info;
|
|
|
|
par->hotdrop = false;
|
|
|
|
}
|
|
|
|
|
2015-01-29 11:34:42 -07:00
|
|
|
static void nft_target_eval_xt(const struct nft_expr *expr,
|
2015-04-10 19:27:31 -06:00
|
|
|
struct nft_regs *regs,
|
2015-01-29 11:34:42 -07:00
|
|
|
const struct nft_pktinfo *pkt)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_target *target = expr->ops->data;
|
|
|
|
struct sk_buff *skb = pkt->skb;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
|
|
|
|
|
|
|
|
ret = target->target(skb, &pkt->xt);
|
|
|
|
|
|
|
|
if (pkt->xt.hotdrop)
|
|
|
|
ret = NF_DROP;
|
|
|
|
|
2015-01-29 11:34:42 -07:00
|
|
|
switch (ret) {
|
2013-10-13 16:06:06 -06:00
|
|
|
case XT_CONTINUE:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NFT_CONTINUE;
|
2013-10-13 16:06:06 -06:00
|
|
|
break;
|
|
|
|
default:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
break;
|
|
|
|
}
|
2015-01-29 11:34:42 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static void nft_target_eval_bridge(const struct nft_expr *expr,
|
2015-04-10 19:27:31 -06:00
|
|
|
struct nft_regs *regs,
|
2015-01-29 11:34:42 -07:00
|
|
|
const struct nft_pktinfo *pkt)
|
|
|
|
{
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_target *target = expr->ops->data;
|
|
|
|
struct sk_buff *skb = pkt->skb;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
|
|
|
|
|
|
|
|
ret = target->target(skb, &pkt->xt);
|
|
|
|
|
|
|
|
if (pkt->xt.hotdrop)
|
|
|
|
ret = NF_DROP;
|
|
|
|
|
|
|
|
switch (ret) {
|
|
|
|
case EBT_ACCEPT:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NF_ACCEPT;
|
2015-01-29 11:34:42 -07:00
|
|
|
break;
|
|
|
|
case EBT_DROP:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NF_DROP;
|
2015-01-29 11:34:42 -07:00
|
|
|
break;
|
|
|
|
case EBT_CONTINUE:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NFT_CONTINUE;
|
2015-01-29 11:34:42 -07:00
|
|
|
break;
|
|
|
|
case EBT_RETURN:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NFT_RETURN;
|
2015-01-29 11:34:42 -07:00
|
|
|
break;
|
|
|
|
default:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = ret;
|
2015-01-29 11:34:42 -07:00
|
|
|
break;
|
|
|
|
}
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = {
|
|
|
|
[NFTA_TARGET_NAME] = { .type = NLA_NUL_STRING },
|
|
|
|
[NFTA_TARGET_REV] = { .type = NLA_U32 },
|
|
|
|
[NFTA_TARGET_INFO] = { .type = NLA_BINARY },
|
|
|
|
};
|
|
|
|
|
|
|
|
static void
|
|
|
|
nft_target_set_tgchk_param(struct xt_tgchk_param *par,
|
|
|
|
const struct nft_ctx *ctx,
|
|
|
|
struct xt_target *target, void *info,
|
2015-02-21 11:30:55 -07:00
|
|
|
union nft_entry *entry, u16 proto, bool inv)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
2014-11-07 10:48:33 -07:00
|
|
|
par->net = ctx->net;
|
2013-10-13 16:06:06 -06:00
|
|
|
par->table = ctx->table->name;
|
2018-01-08 18:38:03 -07:00
|
|
|
switch (ctx->family) {
|
2013-10-13 16:06:06 -06:00
|
|
|
case AF_INET:
|
|
|
|
entry->e4.ip.proto = proto;
|
|
|
|
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
|
|
|
|
break;
|
|
|
|
case AF_INET6:
|
2015-03-21 12:25:05 -06:00
|
|
|
if (proto)
|
|
|
|
entry->e6.ipv6.flags |= IP6T_F_PROTO;
|
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
entry->e6.ipv6.proto = proto;
|
|
|
|
entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
|
|
|
|
break;
|
2015-01-29 11:34:42 -07:00
|
|
|
case NFPROTO_BRIDGE:
|
2015-02-21 11:30:55 -07:00
|
|
|
entry->ebt.ethproto = (__force __be16)proto;
|
2015-01-29 11:34:42 -07:00
|
|
|
entry->ebt.invflags = inv ? EBT_IPROTO : 0;
|
|
|
|
break;
|
2015-02-16 03:32:28 -07:00
|
|
|
case NFPROTO_ARP:
|
|
|
|
break;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
par->entryinfo = entry;
|
|
|
|
par->target = target;
|
|
|
|
par->targinfo = info;
|
2017-03-20 11:10:29 -06:00
|
|
|
if (nft_is_base_chain(ctx->chain)) {
|
2013-10-13 16:06:06 -06:00
|
|
|
const struct nft_base_chain *basechain =
|
|
|
|
nft_base_chain(ctx->chain);
|
2017-12-09 07:40:25 -07:00
|
|
|
const struct nf_hook_ops *ops = &basechain->ops;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
par->hook_mask = 1 << ops->hooknum;
|
2014-10-14 04:43:50 -06:00
|
|
|
} else {
|
|
|
|
par->hook_mask = 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
2018-01-08 18:38:03 -07:00
|
|
|
par->family = ctx->family;
|
2015-05-14 06:57:23 -06:00
|
|
|
par->nft_compat = true;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static void target_compat_from_user(struct xt_target *t, void *in, void *out)
|
|
|
|
{
|
2014-06-17 13:18:44 -06:00
|
|
|
int pad;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
2014-06-17 13:18:44 -06:00
|
|
|
memcpy(out, in, t->targetsize);
|
|
|
|
pad = XT_ALIGN(t->targetsize) - t->targetsize;
|
|
|
|
if (pad > 0)
|
|
|
|
memset(out + t->targetsize, 0, pad);
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] = {
|
|
|
|
[NFTA_RULE_COMPAT_PROTO] = { .type = NLA_U32 },
|
|
|
|
[NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 },
|
|
|
|
};
|
|
|
|
|
2015-02-21 11:30:55 -07:00
|
|
|
static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
|
|
|
struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
|
|
|
|
u32 flags;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = nla_parse_nested(tb, NFTA_RULE_COMPAT_MAX, attr,
|
2017-04-12 06:34:07 -06:00
|
|
|
nft_rule_compat_policy, NULL);
|
2013-10-13 16:06:06 -06:00
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
if (!tb[NFTA_RULE_COMPAT_PROTO] || !tb[NFTA_RULE_COMPAT_FLAGS])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS]));
|
|
|
|
if (flags & ~NFT_RULE_COMPAT_F_MASK)
|
|
|
|
return -EINVAL;
|
|
|
|
if (flags & NFT_RULE_COMPAT_F_INV)
|
|
|
|
*inv = true;
|
|
|
|
|
2013-11-16 14:16:47 -07:00
|
|
|
*proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
|
|
|
|
return 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
|
|
|
const struct nlattr * const tb[])
|
|
|
|
{
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_target *target = expr->ops->data;
|
|
|
|
struct xt_tgchk_param par;
|
|
|
|
size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
struct nft_xt *nft_xt;
|
2015-02-21 11:30:55 -07:00
|
|
|
u16 proto = 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
bool inv = false;
|
|
|
|
union nft_entry e = {};
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
|
|
|
|
|
2013-11-16 14:16:47 -07:00
|
|
|
if (ctx->nla[NFTA_RULE_COMPAT]) {
|
|
|
|
ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
|
|
|
|
if (ret < 0)
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
return ret;
|
2013-11-16 14:16:47 -07:00
|
|
|
}
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
|
|
|
|
|
|
|
|
ret = xt_check_target(&par, size, proto, inv);
|
|
|
|
if (ret < 0)
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
return ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
/* The standard target cannot be used */
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
if (!target->target)
|
|
|
|
return -EINVAL;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
nft_xt = container_of(expr->ops, struct nft_xt, ops);
|
|
|
|
nft_xt->refcnt++;
|
2013-10-13 16:06:06 -06:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-03-07 11:08:30 -07:00
|
|
|
nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
|
|
|
struct xt_target *target = expr->ops->data;
|
2014-06-11 06:27:46 -06:00
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_tgdtor_param par;
|
|
|
|
|
|
|
|
par.net = ctx->net;
|
|
|
|
par.target = target;
|
|
|
|
par.targinfo = info;
|
2018-01-08 18:38:03 -07:00
|
|
|
par.family = ctx->family;
|
2014-06-11 06:27:46 -06:00
|
|
|
if (par.target->destroy != NULL)
|
|
|
|
par.target->destroy(&par);
|
2013-10-13 16:06:06 -06:00
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
|
|
|
|
module_put(target->me);
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
|
|
|
{
|
|
|
|
const struct xt_target *target = expr->ops->data;
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
|
|
|
|
if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
|
|
|
|
nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
|
2014-06-17 13:18:44 -06:00
|
|
|
nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(target->targetsize), info))
|
2013-10-13 16:06:06 -06:00
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int nft_target_validate(const struct nft_ctx *ctx,
|
|
|
|
const struct nft_expr *expr,
|
|
|
|
const struct nft_data **data)
|
|
|
|
{
|
|
|
|
struct xt_target *target = expr->ops->data;
|
|
|
|
unsigned int hook_mask = 0;
|
2014-10-14 02:13:48 -06:00
|
|
|
int ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
2017-03-20 11:10:29 -06:00
|
|
|
if (nft_is_base_chain(ctx->chain)) {
|
2013-10-13 16:06:06 -06:00
|
|
|
const struct nft_base_chain *basechain =
|
|
|
|
nft_base_chain(ctx->chain);
|
2017-12-09 07:40:25 -07:00
|
|
|
const struct nf_hook_ops *ops = &basechain->ops;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
hook_mask = 1 << ops->hooknum;
|
2017-07-18 12:03:05 -06:00
|
|
|
if (target->hooks && !(hook_mask & target->hooks))
|
2014-10-14 02:13:48 -06:00
|
|
|
return -EINVAL;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
2014-10-14 02:13:48 -06:00
|
|
|
ret = nft_compat_chain_validate_dependency(target->table,
|
|
|
|
ctx->chain);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void nft_match_eval(const struct nft_expr *expr,
|
2015-04-10 19:27:31 -06:00
|
|
|
struct nft_regs *regs,
|
2013-10-13 16:06:06 -06:00
|
|
|
const struct nft_pktinfo *pkt)
|
|
|
|
{
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_match *match = expr->ops->data;
|
|
|
|
struct sk_buff *skb = pkt->skb;
|
|
|
|
bool ret;
|
|
|
|
|
|
|
|
nft_compat_set_par((struct xt_action_param *)&pkt->xt, match, info);
|
|
|
|
|
|
|
|
ret = match->match(skb, (struct xt_action_param *)&pkt->xt);
|
|
|
|
|
|
|
|
if (pkt->xt.hotdrop) {
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NF_DROP;
|
2013-10-13 16:06:06 -06:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-04-07 21:05:42 -06:00
|
|
|
switch (ret ? 1 : 0) {
|
|
|
|
case 1:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NFT_CONTINUE;
|
2013-10-13 16:06:06 -06:00
|
|
|
break;
|
2015-04-07 21:05:42 -06:00
|
|
|
case 0:
|
2015-04-10 19:27:31 -06:00
|
|
|
regs->verdict.code = NFT_BREAK;
|
2013-10-13 16:06:06 -06:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
|
|
|
|
[NFTA_MATCH_NAME] = { .type = NLA_NUL_STRING },
|
|
|
|
[NFTA_MATCH_REV] = { .type = NLA_U32 },
|
|
|
|
[NFTA_MATCH_INFO] = { .type = NLA_BINARY },
|
|
|
|
};
|
|
|
|
|
|
|
|
/* struct xt_mtchk_param and xt_tgchk_param look very similar */
|
|
|
|
static void
|
|
|
|
nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
|
|
|
|
struct xt_match *match, void *info,
|
2015-02-21 11:30:55 -07:00
|
|
|
union nft_entry *entry, u16 proto, bool inv)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
2014-11-07 10:48:33 -07:00
|
|
|
par->net = ctx->net;
|
2013-10-13 16:06:06 -06:00
|
|
|
par->table = ctx->table->name;
|
2018-01-08 18:38:03 -07:00
|
|
|
switch (ctx->family) {
|
2013-10-13 16:06:06 -06:00
|
|
|
case AF_INET:
|
|
|
|
entry->e4.ip.proto = proto;
|
|
|
|
entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
|
|
|
|
break;
|
|
|
|
case AF_INET6:
|
2015-03-21 12:25:05 -06:00
|
|
|
if (proto)
|
|
|
|
entry->e6.ipv6.flags |= IP6T_F_PROTO;
|
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
entry->e6.ipv6.proto = proto;
|
|
|
|
entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
|
|
|
|
break;
|
2015-01-29 11:34:42 -07:00
|
|
|
case NFPROTO_BRIDGE:
|
2015-02-21 11:30:55 -07:00
|
|
|
entry->ebt.ethproto = (__force __be16)proto;
|
2015-01-29 11:34:42 -07:00
|
|
|
entry->ebt.invflags = inv ? EBT_IPROTO : 0;
|
|
|
|
break;
|
2015-02-16 03:32:28 -07:00
|
|
|
case NFPROTO_ARP:
|
|
|
|
break;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
par->entryinfo = entry;
|
|
|
|
par->match = match;
|
|
|
|
par->matchinfo = info;
|
2017-03-20 11:10:29 -06:00
|
|
|
if (nft_is_base_chain(ctx->chain)) {
|
2013-10-13 16:06:06 -06:00
|
|
|
const struct nft_base_chain *basechain =
|
|
|
|
nft_base_chain(ctx->chain);
|
2017-12-09 07:40:25 -07:00
|
|
|
const struct nf_hook_ops *ops = &basechain->ops;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
par->hook_mask = 1 << ops->hooknum;
|
2014-10-14 04:43:50 -06:00
|
|
|
} else {
|
|
|
|
par->hook_mask = 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
2018-01-08 18:38:03 -07:00
|
|
|
par->family = ctx->family;
|
2015-05-14 06:57:23 -06:00
|
|
|
par->nft_compat = true;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static void match_compat_from_user(struct xt_match *m, void *in, void *out)
|
|
|
|
{
|
2014-06-17 13:18:44 -06:00
|
|
|
int pad;
|
|
|
|
|
|
|
|
memcpy(out, in, m->matchsize);
|
|
|
|
pad = XT_ALIGN(m->matchsize) - m->matchsize;
|
|
|
|
if (pad > 0)
|
|
|
|
memset(out + m->matchsize, 0, pad);
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
|
|
|
const struct nlattr * const tb[])
|
|
|
|
{
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_match *match = expr->ops->data;
|
|
|
|
struct xt_mtchk_param par;
|
|
|
|
size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
struct nft_xt *nft_xt;
|
2015-02-21 11:30:55 -07:00
|
|
|
u16 proto = 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
bool inv = false;
|
|
|
|
union nft_entry e = {};
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info);
|
|
|
|
|
2013-11-16 14:16:47 -07:00
|
|
|
if (ctx->nla[NFTA_RULE_COMPAT]) {
|
|
|
|
ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
|
|
|
|
if (ret < 0)
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
return ret;
|
2013-11-16 14:16:47 -07:00
|
|
|
}
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
|
|
|
|
|
|
|
|
ret = xt_check_match(&par, size, proto, inv);
|
|
|
|
if (ret < 0)
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
return ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
nft_xt = container_of(expr->ops, struct nft_xt, ops);
|
|
|
|
nft_xt->refcnt++;
|
2013-10-13 16:06:06 -06:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-03-07 11:08:30 -07:00
|
|
|
nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
|
|
|
struct xt_match *match = expr->ops->data;
|
2014-06-11 06:27:46 -06:00
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_mtdtor_param par;
|
|
|
|
|
|
|
|
par.net = ctx->net;
|
|
|
|
par.match = match;
|
|
|
|
par.matchinfo = info;
|
2018-01-08 18:38:03 -07:00
|
|
|
par.family = ctx->family;
|
2014-06-11 06:27:46 -06:00
|
|
|
if (par.match->destroy != NULL)
|
|
|
|
par.match->destroy(&par);
|
2013-10-13 16:06:06 -06:00
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
|
|
|
|
module_put(match->me);
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
|
|
|
|
{
|
|
|
|
void *info = nft_expr_priv(expr);
|
|
|
|
struct xt_match *match = expr->ops->data;
|
|
|
|
|
|
|
|
if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
|
|
|
|
nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
|
2014-06-17 13:18:44 -06:00
|
|
|
nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(match->matchsize), info))
|
2013-10-13 16:06:06 -06:00
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int nft_match_validate(const struct nft_ctx *ctx,
|
|
|
|
const struct nft_expr *expr,
|
|
|
|
const struct nft_data **data)
|
|
|
|
{
|
|
|
|
struct xt_match *match = expr->ops->data;
|
|
|
|
unsigned int hook_mask = 0;
|
2014-10-14 02:13:48 -06:00
|
|
|
int ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
2017-03-20 11:10:29 -06:00
|
|
|
if (nft_is_base_chain(ctx->chain)) {
|
2013-10-13 16:06:06 -06:00
|
|
|
const struct nft_base_chain *basechain =
|
|
|
|
nft_base_chain(ctx->chain);
|
2017-12-09 07:40:25 -07:00
|
|
|
const struct nf_hook_ops *ops = &basechain->ops;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
hook_mask = 1 << ops->hooknum;
|
2017-07-18 12:03:05 -06:00
|
|
|
if (match->hooks && !(hook_mask & match->hooks))
|
2014-10-14 02:13:48 -06:00
|
|
|
return -EINVAL;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
2014-11-10 11:08:21 -07:00
|
|
|
ret = nft_compat_chain_validate_dependency(match->table,
|
2014-10-14 02:13:48 -06:00
|
|
|
ctx->chain);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
nfnl_compat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
|
|
|
|
int event, u16 family, const char *name,
|
|
|
|
int rev, int target)
|
|
|
|
{
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
struct nfgenmsg *nfmsg;
|
|
|
|
unsigned int flags = portid ? NLM_F_MULTI : 0;
|
|
|
|
|
2017-03-28 10:57:32 -06:00
|
|
|
event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event);
|
2013-10-13 16:06:06 -06:00
|
|
|
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
|
|
|
|
if (nlh == NULL)
|
|
|
|
goto nlmsg_failure;
|
|
|
|
|
|
|
|
nfmsg = nlmsg_data(nlh);
|
|
|
|
nfmsg->nfgen_family = family;
|
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
|
|
|
if (nla_put_string(skb, NFTA_COMPAT_NAME, name) ||
|
|
|
|
nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) ||
|
|
|
|
nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target)))
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
nlmsg_end(skb, nlh);
|
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
nlmsg_failure:
|
|
|
|
nla_put_failure:
|
|
|
|
nlmsg_cancel(skb, nlh);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2015-12-15 10:41:56 -07:00
|
|
|
static int nfnl_compat_get(struct net *net, struct sock *nfnl,
|
|
|
|
struct sk_buff *skb, const struct nlmsghdr *nlh,
|
2017-06-19 11:35:46 -06:00
|
|
|
const struct nlattr * const tb[],
|
|
|
|
struct netlink_ext_ack *extack)
|
2013-10-13 16:06:06 -06:00
|
|
|
{
|
|
|
|
int ret = 0, target;
|
|
|
|
struct nfgenmsg *nfmsg;
|
|
|
|
const char *fmt;
|
|
|
|
const char *name;
|
|
|
|
u32 rev;
|
|
|
|
struct sk_buff *skb2;
|
|
|
|
|
|
|
|
if (tb[NFTA_COMPAT_NAME] == NULL ||
|
|
|
|
tb[NFTA_COMPAT_REV] == NULL ||
|
|
|
|
tb[NFTA_COMPAT_TYPE] == NULL)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
name = nla_data(tb[NFTA_COMPAT_NAME]);
|
|
|
|
rev = ntohl(nla_get_be32(tb[NFTA_COMPAT_REV]));
|
|
|
|
target = ntohl(nla_get_be32(tb[NFTA_COMPAT_TYPE]));
|
|
|
|
|
|
|
|
nfmsg = nlmsg_data(nlh);
|
|
|
|
|
|
|
|
switch(nfmsg->nfgen_family) {
|
|
|
|
case AF_INET:
|
|
|
|
fmt = "ipt_%s";
|
|
|
|
break;
|
|
|
|
case AF_INET6:
|
|
|
|
fmt = "ip6t_%s";
|
|
|
|
break;
|
2015-01-29 11:34:42 -07:00
|
|
|
case NFPROTO_BRIDGE:
|
|
|
|
fmt = "ebt_%s";
|
|
|
|
break;
|
2015-02-16 03:32:28 -07:00
|
|
|
case NFPROTO_ARP:
|
|
|
|
fmt = "arpt_%s";
|
|
|
|
break;
|
2013-10-13 16:06:06 -06:00
|
|
|
default:
|
|
|
|
pr_err("nft_compat: unsupported protocol %d\n",
|
|
|
|
nfmsg->nfgen_family);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
try_then_request_module(xt_find_revision(nfmsg->nfgen_family, name,
|
|
|
|
rev, target, &ret),
|
|
|
|
fmt, name);
|
|
|
|
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
|
|
|
|
if (skb2 == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
/* include the best revision for this extension in the message */
|
|
|
|
if (nfnl_compat_fill_info(skb2, NETLINK_CB(skb).portid,
|
|
|
|
nlh->nlmsg_seq,
|
|
|
|
NFNL_MSG_TYPE(nlh->nlmsg_type),
|
|
|
|
NFNL_MSG_COMPAT_GET,
|
|
|
|
nfmsg->nfgen_family,
|
|
|
|
name, ret, target) <= 0) {
|
|
|
|
kfree_skb(skb2);
|
|
|
|
return -ENOSPC;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
|
|
|
|
MSG_DONTWAIT);
|
|
|
|
if (ret > 0)
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
return ret == -EAGAIN ? -ENOBUFS : ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct nla_policy nfnl_compat_policy_get[NFTA_COMPAT_MAX+1] = {
|
|
|
|
[NFTA_COMPAT_NAME] = { .type = NLA_NUL_STRING,
|
|
|
|
.len = NFT_COMPAT_NAME_MAX-1 },
|
|
|
|
[NFTA_COMPAT_REV] = { .type = NLA_U32 },
|
|
|
|
[NFTA_COMPAT_TYPE] = { .type = NLA_U32 },
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct nfnl_callback nfnl_nft_compat_cb[NFNL_MSG_COMPAT_MAX] = {
|
|
|
|
[NFNL_MSG_COMPAT_GET] = { .call = nfnl_compat_get,
|
|
|
|
.attr_count = NFTA_COMPAT_MAX,
|
|
|
|
.policy = nfnl_compat_policy_get },
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct nfnetlink_subsystem nfnl_compat_subsys = {
|
|
|
|
.name = "nft-compat",
|
|
|
|
.subsys_id = NFNL_SUBSYS_NFT_COMPAT,
|
|
|
|
.cb_count = NFNL_MSG_COMPAT_MAX,
|
|
|
|
.cb = nfnl_nft_compat_cb,
|
|
|
|
};
|
|
|
|
|
|
|
|
static LIST_HEAD(nft_match_list);
|
|
|
|
|
|
|
|
static struct nft_expr_type nft_match_type;
|
|
|
|
|
2015-09-14 10:04:09 -06:00
|
|
|
static bool nft_match_cmp(const struct xt_match *match,
|
|
|
|
const char *name, u32 rev, u32 family)
|
|
|
|
{
|
|
|
|
return strcmp(match->name, name) == 0 && match->revision == rev &&
|
|
|
|
(match->family == NFPROTO_UNSPEC || match->family == family);
|
|
|
|
}
|
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
static const struct nft_expr_ops *
|
|
|
|
nft_match_select_ops(const struct nft_ctx *ctx,
|
|
|
|
const struct nlattr * const tb[])
|
|
|
|
{
|
|
|
|
struct nft_xt *nft_match;
|
|
|
|
struct xt_match *match;
|
|
|
|
char *mt_name;
|
2015-09-14 10:04:09 -06:00
|
|
|
u32 rev, family;
|
2016-07-23 02:00:31 -06:00
|
|
|
int err;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
if (tb[NFTA_MATCH_NAME] == NULL ||
|
|
|
|
tb[NFTA_MATCH_REV] == NULL ||
|
|
|
|
tb[NFTA_MATCH_INFO] == NULL)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
mt_name = nla_data(tb[NFTA_MATCH_NAME]);
|
|
|
|
rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
|
2018-01-08 18:38:03 -07:00
|
|
|
family = ctx->family;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
/* Re-use the existing match if it's already loaded. */
|
|
|
|
list_for_each_entry(nft_match, &nft_match_list, head) {
|
|
|
|
struct xt_match *match = nft_match->ops.data;
|
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
if (nft_match_cmp(match, mt_name, rev, family))
|
2013-10-13 16:06:06 -06:00
|
|
|
return &nft_match->ops;
|
|
|
|
}
|
|
|
|
|
|
|
|
match = xt_request_find_match(family, mt_name, rev);
|
|
|
|
if (IS_ERR(match))
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
|
2016-07-23 02:00:31 -06:00
|
|
|
if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO])) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto err;
|
|
|
|
}
|
2016-03-08 16:04:21 -07:00
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
/* This is the first time we use this match, allocate operations */
|
|
|
|
nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
|
2016-07-23 02:00:31 -06:00
|
|
|
if (nft_match == NULL) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto err;
|
|
|
|
}
|
2013-10-13 16:06:06 -06:00
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
nft_match->refcnt = 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
nft_match->ops.type = &nft_match_type;
|
2014-06-17 13:18:44 -06:00
|
|
|
nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
|
2013-10-13 16:06:06 -06:00
|
|
|
nft_match->ops.eval = nft_match_eval;
|
|
|
|
nft_match->ops.init = nft_match_init;
|
|
|
|
nft_match->ops.destroy = nft_match_destroy;
|
|
|
|
nft_match->ops.dump = nft_match_dump;
|
|
|
|
nft_match->ops.validate = nft_match_validate;
|
|
|
|
nft_match->ops.data = match;
|
|
|
|
|
|
|
|
list_add(&nft_match->head, &nft_match_list);
|
|
|
|
|
|
|
|
return &nft_match->ops;
|
2016-07-23 02:00:31 -06:00
|
|
|
err:
|
|
|
|
module_put(match->me);
|
|
|
|
return ERR_PTR(err);
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct nft_expr_type nft_match_type __read_mostly = {
|
|
|
|
.name = "match",
|
|
|
|
.select_ops = nft_match_select_ops,
|
|
|
|
.policy = nft_match_policy,
|
|
|
|
.maxattr = NFTA_MATCH_MAX,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static LIST_HEAD(nft_target_list);
|
|
|
|
|
|
|
|
static struct nft_expr_type nft_target_type;
|
|
|
|
|
2015-09-14 10:04:09 -06:00
|
|
|
static bool nft_target_cmp(const struct xt_target *tg,
|
|
|
|
const char *name, u32 rev, u32 family)
|
|
|
|
{
|
|
|
|
return strcmp(tg->name, name) == 0 && tg->revision == rev &&
|
|
|
|
(tg->family == NFPROTO_UNSPEC || tg->family == family);
|
|
|
|
}
|
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
static const struct nft_expr_ops *
|
|
|
|
nft_target_select_ops(const struct nft_ctx *ctx,
|
|
|
|
const struct nlattr * const tb[])
|
|
|
|
{
|
|
|
|
struct nft_xt *nft_target;
|
|
|
|
struct xt_target *target;
|
|
|
|
char *tg_name;
|
2015-09-14 10:04:09 -06:00
|
|
|
u32 rev, family;
|
2016-07-23 02:00:31 -06:00
|
|
|
int err;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
if (tb[NFTA_TARGET_NAME] == NULL ||
|
|
|
|
tb[NFTA_TARGET_REV] == NULL ||
|
|
|
|
tb[NFTA_TARGET_INFO] == NULL)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
tg_name = nla_data(tb[NFTA_TARGET_NAME]);
|
|
|
|
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
|
2018-01-08 18:38:03 -07:00
|
|
|
family = ctx->family;
|
2013-10-13 16:06:06 -06:00
|
|
|
|
|
|
|
/* Re-use the existing target if it's already loaded. */
|
2014-10-26 05:22:40 -06:00
|
|
|
list_for_each_entry(nft_target, &nft_target_list, head) {
|
2013-10-13 16:06:06 -06:00
|
|
|
struct xt_target *target = nft_target->ops.data;
|
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
if (nft_target_cmp(target, tg_name, rev, family))
|
2013-10-13 16:06:06 -06:00
|
|
|
return &nft_target->ops;
|
|
|
|
}
|
|
|
|
|
|
|
|
target = xt_request_find_target(family, tg_name, rev);
|
|
|
|
if (IS_ERR(target))
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
|
2016-07-23 02:00:31 -06:00
|
|
|
if (target->targetsize > nla_len(tb[NFTA_TARGET_INFO])) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto err;
|
|
|
|
}
|
2016-03-08 16:04:21 -07:00
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
/* This is the first time we use this target, allocate operations */
|
|
|
|
nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
|
2016-07-23 02:00:31 -06:00
|
|
|
if (nft_target == NULL) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto err;
|
|
|
|
}
|
2013-10-13 16:06:06 -06:00
|
|
|
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
nft_target->refcnt = 0;
|
2013-10-13 16:06:06 -06:00
|
|
|
nft_target->ops.type = &nft_target_type;
|
2014-06-17 13:18:44 -06:00
|
|
|
nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
|
2013-10-13 16:06:06 -06:00
|
|
|
nft_target->ops.init = nft_target_init;
|
|
|
|
nft_target->ops.destroy = nft_target_destroy;
|
|
|
|
nft_target->ops.dump = nft_target_dump;
|
|
|
|
nft_target->ops.validate = nft_target_validate;
|
|
|
|
nft_target->ops.data = target;
|
|
|
|
|
2015-01-29 11:34:42 -07:00
|
|
|
if (family == NFPROTO_BRIDGE)
|
|
|
|
nft_target->ops.eval = nft_target_eval_bridge;
|
|
|
|
else
|
|
|
|
nft_target->ops.eval = nft_target_eval_xt;
|
|
|
|
|
2013-10-13 16:06:06 -06:00
|
|
|
list_add(&nft_target->head, &nft_target_list);
|
|
|
|
|
|
|
|
return &nft_target->ops;
|
2016-07-23 02:00:31 -06:00
|
|
|
err:
|
|
|
|
module_put(target->me);
|
|
|
|
return ERR_PTR(err);
|
2013-10-13 16:06:06 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct nft_expr_type nft_target_type __read_mostly = {
|
|
|
|
.name = "target",
|
|
|
|
.select_ops = nft_target_select_ops,
|
|
|
|
.policy = nft_target_policy,
|
|
|
|
.maxattr = NFTA_TARGET_MAX,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int __init nft_compat_module_init(void)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
ret = nft_register_expr(&nft_match_type);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
ret = nft_register_expr(&nft_target_type);
|
|
|
|
if (ret < 0)
|
|
|
|
goto err_match;
|
|
|
|
|
|
|
|
ret = nfnetlink_subsys_register(&nfnl_compat_subsys);
|
|
|
|
if (ret < 0) {
|
|
|
|
pr_err("nft_compat: cannot register with nfnetlink.\n");
|
|
|
|
goto err_target;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
err_target:
|
|
|
|
nft_unregister_expr(&nft_target_type);
|
|
|
|
err_match:
|
|
|
|
nft_unregister_expr(&nft_match_type);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit nft_compat_module_exit(void)
|
|
|
|
{
|
netfilter: nf_tables: nft_compat: fix refcount leak on xt module
Taehee Yoo reported following bug:
iptables-compat -I OUTPUT -m cpu --cpu 0
iptables-compat -F
lsmod |grep xt_cpu
xt_cpu 16384 1
Quote:
"When above command is given, a netlink message has two expressions that
are the cpu compat and the nft_counter.
The nft_expr_type_get() in the nf_tables_expr_parse() successes
first expression then, calls select_ops callback.
(allocates memory and holds module)
But, second nft_expr_type_get() in the nf_tables_expr_parse()
returns -EAGAIN because of request_module().
In that point, by the 'goto err1',
the 'module_put(info[i].ops->type->owner)' is called.
There is no release routine."
The core problem is that unlike all other expression,
nft_compat select_ops has side effects.
1. it allocates dynamic memory which holds an nft ops struct.
In all other expressions, ops has static storage duration.
2. It grabs references to the xt module that it is supposed to
invoke.
Depending on where things go wrong, error unwinding doesn't
always do the right thing.
In the above scenario, a new nft_compat_expr is created and
xt_cpu module gets loaded with a refcount of 1.
Due to to -EAGAIN, the netlink messages get re-parsed.
When that happens, nft_compat finds that xt_cpu is already present
and increments module refcount again.
This fixes the problem by making select_ops to have no visible
side effects and removes all extra module_get/put.
When select_ops creates a new nft_compat expression, the new
expression has a refcount of 0, and the xt module gets its refcount
incremented.
When error happens, the next call finds existing entry, but will no
longer increase the reference count -- the presence of existing
nft_xt means we already hold a module reference.
Because nft_xt_put is only called from nft_compat destroy hook,
it will never see the initial zero reference count.
->destroy can only be called after ->init(), and that will increase the
refcount.
Lastly, we now free nft_xt struct with kfree_rcu.
Else, we get use-after free in nf_tables_rule_destroy:
while (expr != nft_expr_last(rule) && expr->ops) {
nf_tables_expr_destroy(ctx, expr);
expr = nft_expr_next(expr); // here
nft_expr_next() dereferences expr->ops. This is safe
for all users, as ops have static storage duration.
In nft_compat case however, its ->destroy callback can
free the memory that hold the ops structure.
Tested-by: Taehee Yoo <ap420073@gmail.com>
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-02 06:07:42 -06:00
|
|
|
struct nft_xt *xt, *next;
|
|
|
|
|
|
|
|
/* list should be empty here, it can be non-empty only in case there
|
|
|
|
* was an error that caused nft_xt expr to not be initialized fully
|
|
|
|
* and noone else requested the same expression later.
|
|
|
|
*
|
|
|
|
* In this case, the lists contain 0-refcount entries that still
|
|
|
|
* hold module reference.
|
|
|
|
*/
|
|
|
|
list_for_each_entry_safe(xt, next, &nft_target_list, head) {
|
|
|
|
struct xt_target *target = xt->ops.data;
|
|
|
|
|
|
|
|
if (WARN_ON_ONCE(xt->refcnt))
|
|
|
|
continue;
|
|
|
|
module_put(target->me);
|
|
|
|
kfree(xt);
|
|
|
|
}
|
|
|
|
|
|
|
|
list_for_each_entry_safe(xt, next, &nft_match_list, head) {
|
|
|
|
struct xt_match *match = xt->ops.data;
|
|
|
|
|
|
|
|
if (WARN_ON_ONCE(xt->refcnt))
|
|
|
|
continue;
|
|
|
|
module_put(match->me);
|
|
|
|
kfree(xt);
|
|
|
|
}
|
2013-10-13 16:06:06 -06:00
|
|
|
nfnetlink_subsys_unregister(&nfnl_compat_subsys);
|
|
|
|
nft_unregister_expr(&nft_target_type);
|
|
|
|
nft_unregister_expr(&nft_match_type);
|
|
|
|
}
|
|
|
|
|
|
|
|
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);
|
|
|
|
|
|
|
|
module_init(nft_compat_module_init);
|
|
|
|
module_exit(nft_compat_module_exit);
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
|
|
|
|
MODULE_ALIAS_NFT_EXPR("match");
|
|
|
|
MODULE_ALIAS_NFT_EXPR("target");
|