iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Pablo Neira Ayuso 2d15663304 netfilter: conntrack: refetch conntrack after nf_conntrack_update() 
[ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ]

__nf_conntrack_update() might refresh the conntrack object that is
attached to the skbuff. Otherwise, this triggers UAF.

[  633.200434] ==================================================================
[  633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[  633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769

[  633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388
[  633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
[  633.200491] Call Trace:
[  633.200499]  dump_stack+0x7c/0xb0
[  633.200526]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[  633.200532]  print_address_description.constprop.6+0x1a/0x200
[  633.200539]  ? _raw_write_lock_irqsave+0xc0/0xc0
[  633.200568]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[  633.200594]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[  633.200598]  kasan_report.cold.9+0x1f/0x42
[  633.200604]  ? call_rcu+0x2c0/0x390
[  633.200633]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[  633.200659]  nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[  633.200687]  ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack]

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436
Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-07-16 08:16:38 +02:00
..
6lowpan
6lowpan: no need to check return value of debugfs_create functions
2019-07-06 12:50:01 +02:00
9p
9p pull request for inclusion in 5.4
2019-09-27 15:10:34 -07:00
802
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
8021q
vlan: vlan_changelink() should propagate errors
2020-01-12 12:21:50 +01:00
appletalk
appletalk: enforce CAP_NET_RAW for raw sockets
2019-09-24 16:37:18 +02:00
atm
net: atm: Reduce the severity of logging in unlink_clip_vcc
2019-11-18 17:08:20 -08:00
ax25
ax25: fix setsockopt(SO_BINDTODEVICE)
2020-06-03 08:20:39 +02:00
batman-adv
batman-adv: Revert "disable ethtool link speed detection when auto negotiation off"
2020-06-22 09:30:56 +02:00
bluetooth
Bluetooth: Add SCO fallback for invalid LMP parameters error
2020-06-22 09:30:54 +02:00
bpf
bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN
2019-07-25 18:00:41 -07:00
bpfilter
net/bpfilter: remove superfluous testing message
2020-04-21 09:04:53 +02:00
bridge
net: bridge: enfore alignment for ethernet address
2020-06-30 15:36:44 -04:00
caif
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
can
can: j1939: j1939_sk_bind(): take priv after lock is held
2019-12-31 16:45:56 +01:00
ceph
libceph: ignore pool overlay and cache logic on redirects
2020-06-03 08:21:25 +02:00
core
bpf, sockmap: RCU dereferenced psock may be used outside RCU block
2020-07-16 08:16:37 +02:00
dcb
dccp
dccp: Fix possible memleak in dccp_init and dccp_fini
2020-06-17 16:40:32 +02:00
decnet
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:18:58 +01:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:36:45 +02:00
dsa
net: dsa: declare lockless TX feature for slave ports
2020-06-03 08:21:38 +02:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:20:06 +01:00
hsr
hsr: check protocol version in hsr_newlink()
2020-04-21 09:04:44 +02:00
ieee802154
nl802154: add missing attribute validation for dev_type
2020-03-18 07:17:44 +01:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
2020-06-30 15:36:47 -04:00
ipv6
ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
2020-06-30 15:36:46 -04:00
iucv
net/af_iucv: mark expected switch fall-throughs
2019-07-29 10:26:14 -07:00
kcm
kcm: disable preemption in kcm_parse_func_strparser()
2019-09-27 10:27:14 +02:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-07-08 19:48:57 -07:00
l2tp
l2tp: do not use inet_hash()/inet_unhash()
2020-06-10 20:24:54 +02:00
l3mdev
ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF
2019-06-23 13:24:17 -07:00
lapb
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-17 20:20:36 -07:00
llc
llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
2020-01-12 12:21:45 +01:00
mac80211
mac80211: mesh: fix discovery timer re-arming issue / crash
2020-06-03 08:21:30 +02:00
mac802154
mpls
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-18 16:08:42 +01:00
ncsi
net/ncsi: Disable global multicast filter
2019-09-19 18:04:40 -07:00
netfilter
netfilter: conntrack: refetch conntrack after nf_conntrack_update()
2020-07-16 08:16:38 +02:00
netlabel
netlabel: cope with NULL catmap
2020-05-20 08:20:08 +02:00
netlink
netlink: Use netlink header as base to calculate bad attribute offset
2020-03-18 07:17:40 +01:00
netrom
net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
2020-04-29 16:33:08 +02:00
nfc
nfc: add missing attribute validation for vendor subcommand
2020-03-18 07:17:46 +01:00
nsh
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
openvswitch
openvswitch: take into account de-fragmentation/gso_size in execute_check_pkt_len
2020-06-30 15:36:45 -04:00
packet
net/packet: tpacket_rcv: avoid a producer race condition
2020-04-01 11:01:35 +02:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
psample
net: psample: fix skb_over_panic
2019-12-04 22:30:54 +01:00
qrtr
net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
2020-07-16 08:16:36 +02:00
rds
net/rds: Use ERR_PTR for rds_message_alloc_sgs()
2020-05-20 08:20:27 +02:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2020-01-12 12:21:33 +01:00
rose
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
rxrpc
rxrpc: Fix afs large storage transmission performance drop
2020-07-09 09:37:52 +02:00
sched
net: sched: export __netdev_watchdog_up()
2020-06-30 15:36:47 -04:00
sctp
sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
2020-06-30 15:36:45 -04:00
smc
net/smc: cancel event worker during device removal
2020-03-18 07:17:59 +01:00
strparser
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-22 08:59:24 -04:00
sunrpc
xprtrdma: Fix handling of RDMA_ERROR replies
2020-06-30 15:37:12 -04:00
switchdev
tipc
tipc: block BH before using dst_cache
2020-06-03 08:21:03 +02:00
tls
bpf: Fix running sk_skb program types with ktls
2020-06-22 09:31:12 +02:00
unix
af_unix: add compat_ioctl support
2020-01-17 19:48:52 +01:00
vmw_vsock
vsock: fix timeout in vsock_accept()
2020-06-10 20:24:55 +02:00
wimax
wimax: no need to check return value of debugfs_create functions
2019-08-10 15:25:47 -07:00
wireless
nl80211: don't return err unconditionally in nl80211_start_ap()
2020-07-16 08:16:37 +02:00
x25
net/x25: Fix x25_neigh refcnt leak when receiving frame
2020-04-29 16:33:09 +02:00
xdp
xdp: Fix xsk_generic_xmit errno
2020-06-24 17:50:44 +02:00
xfrm
xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
2020-06-30 15:36:53 -04:00
compat.c
Kconfig
net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
2020-04-01 11:02:18 +02:00
Makefile
socket.c
compat_ioctl: handle SIOCOUTQNSD
2020-01-17 19:48:52 +01:00
sysctl_net.c