iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Florian Westphal b0e56e3c56 netfilter: nat: can't use dst_hold on noref dst 
[ Upstream commit 542fbda0f08f1cbbc250f9e59f7537649651d0c8 ]

The dst entry might already have a zero refcount, waiting on rcu list
to be free'd.  Using dst_hold() transitions its reference count to 1, and
next dst release will try to free it again -- resulting in a double free:

  WARNING: CPU: 1 PID: 0 at include/net/dst.h:239 nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
  RIP: 0010:nf_xfrm_me_harder+0xe7/0x130 [nf_nat]
  Code: 48 8b 5c 24 60 65 48 33 1c 25 28 00 00 00 75 53 48 83 c4 68 5b 5d 41 5c c3 85 c0 74 0d 8d 48 01 f0 0f b1 0a 74 86 85 c0 75 f3 <0f> 0b e9 7b ff ff ff 29 c6 31 d2 b9 20 00 48 00 4c 89 e7 e8 31 27
  Call Trace:
  nf_nat_ipv4_out+0x78/0x90 [nf_nat_ipv4]
  nf_hook_slow+0x36/0xd0
  ip_output+0x9f/0xd0
  ip_forward+0x328/0x440
  ip_rcv+0x8a/0xb0

Use dst_hold_safe instead and bail out if we cannot take a reference.

Fixes: a4c2fd7f7891 ("net: remove DST_NOCACHE flag")
Reported-by: Martin Zaharinov <micron10@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-01-13 10:00:58 +01:00
..
6lowpan
6lowpan: iphc: reset mac_header after decompress to fix panic
2018-10-03 17:00:47 -07:00
9p
9p: clear dangling pointers in p9stat_free
2018-11-21 09:24:04 +01:00
802
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
8021q
net: fix use-after-free in GRO with ESP
2018-07-22 14:28:44 +02:00
appletalk
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atm
atm: Preserve value of skb->truesize when accounting to vcc
2018-07-22 14:28:43 +02:00
ax25
ax25: fix a use-after-free in ax25_fillin_cb()
2019-01-09 17:14:43 +01:00
batman-adv
batman-adv: Expand merged fragment buffer for full packet
2018-12-13 09:18:46 +01:00
bluetooth
Bluetooth: SMP: fix crash in unpairing
2018-11-04 14:52:39 +01:00
bpf
bridge
net: bridge: remove ipv6 zero address check in mcast queries
2018-11-04 14:52:48 +01:00
caif
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
2018-09-05 09:26:27 +02:00
can
can: raw: check for CAN FD capable netdev in raw_sendmsg()
2018-12-01 09:42:52 +01:00
ceph
libceph: check authorizer reply/challenge length before reading
2018-12-05 19:41:27 +01:00
core
sock: Make sock->sk_stamp thread-safe
2019-01-09 17:14:46 +01:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:43:43 +02:00
dccp
inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
2018-10-18 09:16:21 +02:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:07:52 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:28:49 +02:00
dsa
net: dsa: Do not suspend/resume closed slave_dev
2018-08-06 16:20:48 +02:00
ethernet
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
hsr
net/hsr: Check skb_put_padto() return value
2017-08-22 13:40:23 -07:00
ieee802154
ieee802154: lowpan_header_create check must check daddr
2019-01-09 17:14:43 +01:00
ife
net: sched: ife: check on metadata length
2018-04-29 11:33:13 +02:00
ipv4
tcp: fix a race in inet_diag_dump_icsk()
2019-01-09 17:14:44 +01:00
ipv6
ipv6: tunnels: fix two use-after-free
2019-01-09 17:14:43 +01:00
ipx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:10:41 +02:00
kcm
kcm: Fix use-after-free caused by clonned sockets
2018-06-11 22:49:19 +02:00
key
af_key: Always verify length of provided sadb_key
2018-06-16 09:45:14 +02:00
l2tp
l2tp: remove configurable payload offset
2018-11-04 14:52:43 +01:00
l3mdev
lapb
net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
llc
llc: do not use sk_eat_skb()
2018-12-01 09:42:51 +01:00
mac80211
mac80211: Fix condition validating WMM IE
2018-12-21 14:13:10 +01:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 19:55:52 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-02-22 15:42:28 +01:00
ncsi
net/ncsi: Fix length of GVI response packet
2017-10-21 01:56:38 +01:00
netfilter
netfilter: nat: can't use dst_hold on noref dst
2019-01-13 10:00:58 +01:00
netlabel
netlabel: check for IPV4MASK in addrinfo_get
2018-10-18 09:16:18 +02:00
netlink
netlink: Don't shift on 64 for ngroups
2018-08-09 12:16:38 +02:00
netrom
netrom: fix locking in nr_find_socket()
2019-01-09 17:14:44 +01:00
nfc
NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
2018-09-29 03:06:01 -07:00
nsh
nsh: set mac len based on inner packet
2018-07-22 14:28:49 +02:00
openvswitch
openvswitch: Fix push/pop ethernet validation
2018-11-04 14:52:50 +01:00
packet
packet: validate address length if non-zero
2019-01-09 17:14:44 +01:00
phonet
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
psample
MAINTAINERS: Update Yotam's E-mail
2017-11-01 12:19:03 +09:00
qrtr
net: qrtr: Broadcast messages only from control port
2018-08-24 13:09:13 +02:00
rds
rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead
2018-10-13 09:27:29 +02:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:10:26 +02:00
rose
rxrpc
rxrpc: Fix connection-level abort handling
2018-11-04 14:52:46 +01:00
sched
net: Prevent invalid access to skb->prev in __qdisc_drop_all
2018-12-17 09:28:46 +01:00
sctp
sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
2019-01-09 17:14:44 +01:00
smc
net/smc: fix TCP fallback socket release
2019-01-09 17:14:46 +01:00
strparser
strparser: Remove early eaten to fix full tcp receive buffer stall
2018-07-22 14:28:47 +02:00
sunrpc
sock: Make sock->sk_stamp thread-safe
2019-01-09 17:14:46 +01:00
switchdev
net: switchdev: Remove bridge bypass support from switchdev
2017-08-07 14:48:48 -07:00
tipc
tipc: compare remote and local protocols in tipc_udp_enable()
2019-01-09 17:14:46 +01:00
tls
net/tls: Fixed return value when tls_complete_pending_work() fails
2018-12-05 19:41:11 +01:00
unix
License cleanup: add SPDX license identifiers to some files
2017-11-02 10:04:46 -07:00
vmw_vsock
VSOCK: Send reset control packet when socket is partially bound
2019-01-09 17:14:45 +01:00
wimax
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
wireless
cfg80211: fix use-after-free in reg_process_hint()
2018-11-04 14:52:40 +01:00
x25
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xfrm
xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry.
2019-01-13 10:00:57 +01:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-09 17:14:46 +01:00
Kconfig
net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros.
2017-09-04 13:25:20 +02:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
socket.c
net: socket: fix a missing-check bug
2018-11-04 14:52:49 +01:00
sysctl_net.c