From 7461f98a4ec9a927e282ed4e4d01c89a846a56c8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 20 May 2018 09:47:00 +0200 Subject: [PATCH] 4.16-stable patches added patches: netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch netfilter-nf_tables-free-set-name-in-error-path.patch netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch --- ...r-linking-rule-into-active-rule-list.patch | 110 ++++++++++++++++++ ...f_tables-free-set-name-in-error-path.patch | 46 ++++++++ ...es_obj_lookup_byhandle-can-be-static.patch | 42 +++++++ queue-4.16/series | 4 + ...ee-via-temporarily-dropped-reference.patch | 39 +++++++ 5 files changed, 241 insertions(+) create mode 100644 queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch create mode 100644 queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch create mode 100644 queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch create mode 100644 queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch diff --git a/queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch b/queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch new file mode 100644 index 00000000000..e7bf42b91fa --- /dev/null +++ b/queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch @@ -0,0 +1,110 @@ +From 569ccae68b38654f04b6842b034aa33857f605fe Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 10 Apr 2018 09:30:27 +0200 +Subject: netfilter: nf_tables: can't fail after linking rule into active rule list + +From: Florian Westphal + +commit 569ccae68b38654f04b6842b034aa33857f605fe upstream. + +rules in nftables a free'd using kfree, but protected by rcu, i.e. we +must wait for a grace period to elapse. + +Normal removal patch does this, but nf_tables_newrule() doesn't obey +this rule during error handling. + +It calls nft_trans_rule_add() *after* linking rule, and, if that +fails to allocate memory, it unlinks the rule and then kfree() it -- +this is unsafe. + +Switch order -- first add rule to transaction list, THEN link it +to public list. + +Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this +is not a problem in practice (spotted only during code review). + +Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 59 ++++++++++++++++++++++-------------------- + 1 file changed, 32 insertions(+), 27 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2357,41 +2357,46 @@ static int nf_tables_newrule(struct net + } + + if (nlh->nlmsg_flags & NLM_F_REPLACE) { +- if (nft_is_active_next(net, old_rule)) { +- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, +- old_rule); +- if (trans == NULL) { +- err = -ENOMEM; +- goto err2; +- } +- nft_deactivate_next(net, old_rule); +- chain->use--; +- list_add_tail_rcu(&rule->list, &old_rule->list); +- } else { ++ if (!nft_is_active_next(net, old_rule)) { + err = -ENOENT; + goto err2; + } +- } else if (nlh->nlmsg_flags & NLM_F_APPEND) +- if (old_rule) +- list_add_rcu(&rule->list, &old_rule->list); +- else +- list_add_tail_rcu(&rule->list, &chain->rules); +- else { +- if (old_rule) +- list_add_tail_rcu(&rule->list, &old_rule->list); +- else +- list_add_rcu(&rule->list, &chain->rules); +- } ++ trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, ++ old_rule); ++ if (trans == NULL) { ++ err = -ENOMEM; ++ goto err2; ++ } ++ nft_deactivate_next(net, old_rule); ++ chain->use--; ++ ++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { ++ err = -ENOMEM; ++ goto err2; ++ } + +- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { +- err = -ENOMEM; +- goto err3; ++ list_add_tail_rcu(&rule->list, &old_rule->list); ++ } else { ++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { ++ err = -ENOMEM; ++ goto err2; ++ } ++ ++ if (nlh->nlmsg_flags & NLM_F_APPEND) { ++ if (old_rule) ++ list_add_rcu(&rule->list, &old_rule->list); ++ else ++ list_add_tail_rcu(&rule->list, &chain->rules); ++ } else { ++ if (old_rule) ++ list_add_tail_rcu(&rule->list, &old_rule->list); ++ else ++ list_add_rcu(&rule->list, &chain->rules); ++ } + } + chain->use++; + return 0; + +-err3: +- list_del_rcu(&rule->list); + err2: + nf_tables_rule_destroy(&ctx, rule); + err1: diff --git a/queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch b/queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch new file mode 100644 index 00000000000..da38d6916e1 --- /dev/null +++ b/queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch @@ -0,0 +1,46 @@ +From 2f6adf481527c8ab8033c601f55bfb5b3712b2ac Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 10 Apr 2018 09:00:24 +0200 +Subject: netfilter: nf_tables: free set name in error path + +From: Florian Westphal + +commit 2f6adf481527c8ab8033c601f55bfb5b3712b2ac upstream. + +set->name must be free'd here in case ops->init fails. + +Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3203,18 +3203,20 @@ static int nf_tables_newset(struct net * + + err = ops->init(set, &desc, nla); + if (err < 0) +- goto err2; ++ goto err3; + + err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); + if (err < 0) +- goto err3; ++ goto err4; + + list_add_tail_rcu(&set->list, &table->sets); + table->use++; + return 0; + +-err3: ++err4: + ops->destroy(set); ++err3: ++ kfree(set->name); + err2: + kvfree(set); + err1: diff --git a/queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch b/queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch new file mode 100644 index 00000000000..7929810824e --- /dev/null +++ b/queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch @@ -0,0 +1,42 @@ +From ae0662f84b105776734cb089703a7bf834bac195 Mon Sep 17 00:00:00 2001 +From: kbuild test robot +Date: Sat, 20 Jan 2018 04:27:58 +0800 +Subject: netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static + +From: kbuild test robot + +commit ae0662f84b105776734cb089703a7bf834bac195 upstream. + +Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle") +Signed-off-by: Fengguang Wu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4399,9 +4399,9 @@ struct nft_object *nf_tables_obj_lookup( + } + EXPORT_SYMBOL_GPL(nf_tables_obj_lookup); + +-struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table, +- const struct nlattr *nla, +- u32 objtype, u8 genmask) ++static struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table, ++ const struct nlattr *nla, ++ u32 objtype, u8 genmask) + { + struct nft_object *obj; + +@@ -4921,7 +4921,7 @@ struct nft_flowtable *nf_tables_flowtabl + } + EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup); + +-struct nft_flowtable * ++static struct nft_flowtable * + nf_tables_flowtable_lookup_byhandle(const struct nft_table *table, + const struct nlattr *nla, u8 genmask) + { diff --git a/queue-4.16/series b/queue-4.16/series index 0bb9cdda67a..5f9c332b7ed 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -22,3 +22,7 @@ vfio-ccw-fix-cleanup-if-cp_prefetch-fails.patch tracing-x86-xen-remove-zero-data-size-trace-events-trace_xen_mmu_flush_tlb-_all.patch vsprintf-replace-memory-barrier-with-static_key-for-random_ptr_key-update.patch x86-amd_nb-add-support-for-raven-ridge-cpus.patch +tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch +netfilter-nf_tables-free-set-name-in-error-path.patch +netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch +netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch diff --git a/queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch b/queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch new file mode 100644 index 00000000000..9d6ef95096b --- /dev/null +++ b/queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch @@ -0,0 +1,39 @@ +From bb765d1c331f62b59049d35607ed2e365802bef9 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 4 Apr 2018 21:03:21 +0200 +Subject: tee: shm: fix use-after-free via temporarily dropped reference + +From: Jann Horn + +commit bb765d1c331f62b59049d35607ed2e365802bef9 upstream. + +Bump the file's refcount before moving the reference into the fd table, +not afterwards. The old code could drop the file's refcount to zero for a +short moment before calling get_file() via get_dma_buf(). + +This code can only be triggered on ARM systems that use Linaro's OP-TEE. + +Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") +Signed-off-by: Jann Horn +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tee/tee_shm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -360,9 +360,10 @@ int tee_shm_get_fd(struct tee_shm *shm) + if (!(shm->flags & TEE_SHM_DMA_BUF)) + return -EINVAL; + ++ get_dma_buf(shm->dmabuf); + fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC); +- if (fd >= 0) +- get_dma_buf(shm->dmabuf); ++ if (fd < 0) ++ dma_buf_put(shm->dmabuf); + return fd; + } + -- 2.47.3