From 2bc16a5df36f2d87324665daf8c8fecf89cf1bac Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 28 Nov 2020 11:09:20 +0100 Subject: [PATCH] 5.4-stable patches added patches: netfilter-clear-skb-next-in-nf_hook_list.patch --- ...ilter-clear-skb-next-in-nf_hook_list.patch | 43 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 44 insertions(+) create mode 100644 queue-5.4/netfilter-clear-skb-next-in-nf_hook_list.patch diff --git a/queue-5.4/netfilter-clear-skb-next-in-nf_hook_list.patch b/queue-5.4/netfilter-clear-skb-next-in-nf_hook_list.patch new file mode 100644 index 00000000000..a909b9eccd4 --- /dev/null +++ b/queue-5.4/netfilter-clear-skb-next-in-nf_hook_list.patch @@ -0,0 +1,43 @@ +From xiyou.wangcong@gmail.com Sat Nov 28 11:07:47 2020 +From: Cong Wang +Date: Fri, 20 Nov 2020 19:43:17 -0800 +Subject: netfilter: clear skb->next in NF_HOOK_LIST() +To: netdev@vger.kernel.org +Cc: Cong Wang , liuzx@knownsec.com, Florian Westphal , Edward Cree , stable@vger.kernel.org, Greg Kroah-Hartman +Message-ID: <20201121034317.577081-1-xiyou.wangcong@gmail.com> + + +From: Cong Wang + +NF_HOOK_LIST() uses list_del() to remove skb from the linked list, +however, it is not sufficient as skb->next still points to other +skb. We should just call skb_list_del_init() to clear skb->next, +like the rest places which using skb list. + +This has been fixed in upstream by commit ca58fbe06c54 +("netfilter: add and use nf_hook_slow_list()"). + +Fixes: 9f17dbf04ddf ("netfilter: fix use-after-free in NF_HOOK_LIST") +Reported-by: liuzx@knownsec.com +Tested-by: liuzx@knownsec.com +Cc: Florian Westphal +Cc: Edward Cree +Cc: stable@vger.kernel.org # between 4.19 and 5.4 +Signed-off-by: Cong Wang +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -316,7 +316,7 @@ NF_HOOK_LIST(uint8_t pf, unsigned int ho + + INIT_LIST_HEAD(&sublist); + list_for_each_entry_safe(skb, next, head, list) { +- list_del(&skb->list); ++ skb_list_del_init(skb); + if (nf_hook(pf, hook, net, sk, skb, in, out, okfn) == 1) + list_add_tail(&skb->list, &sublist); + } diff --git a/queue-5.4/series b/queue-5.4/series index fe8a9dbcfc9..66f386c51c0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,4 @@ spi-bcm-qspi-fix-use-after-free-on-unbind.patch spi-bcm2835-fix-use-after-free-on-unbind.patch ipv4-use-is_enabled-instead-of-ifdef.patch +netfilter-clear-skb-next-in-nf_hook_list.patch -- 2.47.3