Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

davem330 · davem330 · commit c00e858d550c · 2020-07-04T17:47:35.000-07:00
Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Use kvfree() to release vmalloc()'ed areas in ipset, from Eric Dumazet.

2) UAF in nfnetlink_queue from the nf_conntrack_update() path.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -326,7 +326,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
 	set->variant = &bitmap_ip;
 	if (!init_map_ip(set, map, first_ip, last_ip,
 			 elements, hosts, netmask)) {
-		kfree(map);
+		ip_set_free(map);
 		return -ENOMEM;
 	}
 	if (tb[IPSET_ATTR_TIMEOUT]) {
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
 	map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
 	set->variant = &bitmap_ipmac;
 	if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
-		kfree(map);
+		ip_set_free(map);
 		return -ENOMEM;
 	}
 	if (tb[IPSET_ATTR_TIMEOUT]) {
diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -274,7 +274,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
 	map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
 	set->variant = &bitmap_port;
 	if (!init_map_port(set, map, first_port, last_port)) {
-		kfree(map);
+		ip_set_free(map);
 		return -ENOMEM;
 	}
 	if (tb[IPSET_ATTR_TIMEOUT]) {
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried)
 	}
 	t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));
 	if (!t->hregion) {
-		kfree(t);
+		ip_set_free(t);
 		ret = -ENOMEM;
 		goto out;
 	}
@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
 	}
 	t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits));
 	if (!t->hregion) {
-		kfree(t);
+		ip_set_free(t);
 		kfree(h);
 		return -ENOMEM;
 	}
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
@@ -2158,6 +2158,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
 		err = __nf_conntrack_update(net, skb, ct, ctinfo);
 		if (err < 0)
 			return err;
+
+		ct = nf_ct_get(skb, &ctinfo);
 	}
 
 	return nf_confirm_cthelper(skb, ct, ctinfo);

Original file line number	Diff line number	Diff line change
`@@ -326,7 +326,7 @@ bitmap_ip_create(struct net net, struct ip_set set, struct nlattr *tb[],`
`326`	`326`	`set->variant = &bitmap_ip;`
`327`	`327`	`if (!init_map_ip(set, map, first_ip, last_ip,`
`328`	`328`	`elements, hosts, netmask)) {`
`329`		`- kfree(map);`
	`329`	`+ ip_set_free(map);`
`330`	`330`	`return -ENOMEM;`
`331`	`331`	`}`
`332`	`332`	`if (tb[IPSET_ATTR_TIMEOUT]) {`
Original file line number	Diff line number	Diff line change
`@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net net, struct ip_set set, struct nlattr *tb[],`
`363`	`363`	`map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);`
`364`	`364`	`set->variant = &bitmap_ipmac;`
`365`	`365`	`if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {`
`366`		`- kfree(map);`
	`366`	`+ ip_set_free(map);`
`367`	`367`	`return -ENOMEM;`
`368`	`368`	`}`
`369`	`369`	`if (tb[IPSET_ATTR_TIMEOUT]) {`
Original file line number	Diff line number	Diff line change
`@@ -274,7 +274,7 @@ bitmap_port_create(struct net net, struct ip_set set, struct nlattr *tb[],`
`274`	`274`	`map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);`
`275`	`275`	`set->variant = &bitmap_port;`
`276`	`276`	`if (!init_map_port(set, map, first_port, last_port)) {`
`277`		`- kfree(map);`
	`277`	`+ ip_set_free(map);`
`278`	`278`	`return -ENOMEM;`
`279`	`279`	`}`
`280`	`280`	`if (tb[IPSET_ATTR_TIMEOUT]) {`
Original file line number	Diff line number	Diff line change
`@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried)`
`682`	`682`	`}`
`683`	`683`	`t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));`
`684`	`684`	`if (!t->hregion) {`
`685`		`- kfree(t);`
	`685`	`+ ip_set_free(t);`
`686`	`686`	`ret = -ENOMEM;`
`687`	`687`	`goto out;`
`688`	`688`	`}`
`@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net net, struct ip_set set,`
`1533`	`1533`	`}`
`1534`	`1534`	`t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits));`
`1535`	`1535`	`if (!t->hregion) {`
`1536`		`- kfree(t);`
	`1536`	`+ ip_set_free(t);`
`1537`	`1537`	`kfree(h);`
`1538`	`1538`	`return -ENOMEM;`
`1539`	`1539`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2158,6 +2158,8 @@ static int nf_conntrack_update(struct net net, struct sk_buff skb)`
`2158`	`2158`	`err = __nf_conntrack_update(net, skb, ct, ctinfo);`
`2159`	`2159`	`if (err < 0)`
`2160`	`2160`	`return err;`
	`2161`	`+`
	`2162`	`+ ct = nf_ct_get(skb, &ctinfo);`
`2161`	`2163`	`}`
`2162`	`2164`
`2163`	`2165`	`return nf_confirm_cthelper(skb, ct, ctinfo);`