releases/3.14.7/netfilter-nfnetlink-fix-use-after-free-when-it-fails-to-process-batch.patch

   1 From ecd15dd7e45f3683fa8142b9f2c015dfaa0c243d Mon Sep 17 00:00:00 2001
   2 From: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
   3 Date: Sun, 4 May 2014 13:35:37 +0200
   4 Subject: netfilter: nfnetlink: Fix use after free when it fails to process batch
   5
   6 From: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
   7
   8 commit ecd15dd7e45f3683fa8142b9f2c015dfaa0c243d upstream.
   9
  10 This bug manifests when calling the nft command line tool without
  11 nf_tables kernel support.
  12
  13 kernel message:
  14 [   44.071555] Netfilter messages via NETLINK v0.30.
  15 [   44.072253] BUG: unable to handle kernel NULL pointer dereference at 0000000000000119
  16 [   44.072264] IP: [<ffffffff8171db1f>] netlink_getsockbyportid+0xf/0x70
  17 [   44.072272] PGD 7f2b74067 PUD 7f2b73067 PMD 0
  18 [   44.072277] Oops: 0000 [#1] SMP
  19 [...]
  20 [   44.072369] Call Trace:
  21 [   44.072373]  [<ffffffff8171fd81>] netlink_unicast+0x91/0x200
  22 [   44.072377]  [<ffffffff817206c9>] netlink_ack+0x99/0x110
  23 [   44.072381]  [<ffffffffa004b951>] nfnetlink_rcv+0x3c1/0x408 [nfnetlink]
  24 [   44.072385]  [<ffffffff8171fde3>] netlink_unicast+0xf3/0x200
  25 [   44.072389]  [<ffffffff817201ef>] netlink_sendmsg+0x2ff/0x740
  26 [   44.072394]  [<ffffffff81044752>] ? __mmdrop+0x62/0x90
  27 [   44.072398]  [<ffffffff816dafdb>] sock_sendmsg+0x8b/0xc0
  28 [   44.072403]  [<ffffffff812f1af5>] ? copy_user_enhanced_fast_string+0x5/0x10
  29 [   44.072406]  [<ffffffff816dbb6c>] ? move_addr_to_kernel+0x2c/0x50
  30 [   44.072410]  [<ffffffff816db423>] ___sys_sendmsg+0x3c3/0x3d0
  31 [   44.072415]  [<ffffffff811301ba>] ? handle_mm_fault+0xa9a/0xc60
  32 [   44.072420]  [<ffffffff811362d6>] ? mmap_region+0x166/0x5a0
  33 [   44.072424]  [<ffffffff817da84c>] ? __do_page_fault+0x1dc/0x510
  34 [   44.072428]  [<ffffffff812b8b2c>] ? apparmor_capable+0x1c/0x60
  35 [   44.072435]  [<ffffffff817d6e9a>] ? _raw_spin_unlock_bh+0x1a/0x20
  36 [   44.072439]  [<ffffffff816dfc86>] ? release_sock+0x106/0x150
  37 [   44.072443]  [<ffffffff816dc212>] __sys_sendmsg+0x42/0x80
  38 [   44.072446]  [<ffffffff816dc262>] SyS_sendmsg+0x12/0x20
  39 [   44.072450]  [<ffffffff817df616>] system_call_fastpath+0x1a/0x1f
  40
  41 Signed-off-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
  42 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  43 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  44
  45 ---
  46  net/netfilter/nfnetlink.c |    8 ++++----
  47  1 file changed, 4 insertions(+), 4 deletions(-)
  48
  49 --- a/net/netfilter/nfnetlink.c
  50 +++ b/net/netfilter/nfnetlink.c
  51 @@ -248,15 +248,15 @@ replay:
  52  #endif
  53                 {
  54                         nfnl_unlock(subsys_id);
  55 -                       kfree_skb(nskb);
  56 -                       return netlink_ack(skb, nlh, -EOPNOTSUPP);
  57 +                       netlink_ack(skb, nlh, -EOPNOTSUPP);
  58 +                       return kfree_skb(nskb);
  59                 }
  60         }
  61
  62         if (!ss->commit || !ss->abort) {
  63                 nfnl_unlock(subsys_id);
  64 -               kfree_skb(nskb);
  65 -               return netlink_ack(skb, nlh, -EOPNOTSUPP);
  66 +               netlink_ack(skb, nlh, -EOPNOTSUPP);
  67 +               return kfree_skb(skb);
  68         }
  69
  70         while (skb->len >= nlmsg_total_size(0)) {