* [PATCH nf] netfilter: nat: fix crash when conntrack entry is re-used
@ 2016-11-23 0:11 Florian Westphal
2016-11-24 12:53 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2016-11-23 0:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Stas Nichiporovich reports oops in nf_nat_bysource_cmp(), trying to
access nf_conn struct at address 0xffffffffffffff50.
This is the result of fetching a null rhash list (struct embedded at
offset 176; 0 - 176 gets us ...fff50).
The problem is that conntrack entries are allocated from a
SLAB_DESTROY_BY_RCU cache, i.e. entries can be free'd and reused
on another cpu while nf nat bysource hash access the same conntrack entry.
Freeing is fine (we hold rcu read lock); zeroing rhlist_head isn't.
-> Move the rhlist struct outside of the memset()-inited area.
Fixes: 7c9664351980aaa6a ("netfilter: move nat hlist_head to nf_conn")
Reported-by: Stas Nichiporovich <stasn77@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
This is on top of https://patchwork.ozlabs.org/patch/695587/ .
include/net/netfilter/nf_conntrack.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index dc143ada9762..d9d52c020a70 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -100,6 +100,9 @@ struct nf_conn {
possible_net_t ct_net;
+#if IS_ENABLED(CONFIG_NF_NAT)
+ struct rhlist_head nat_bysource;
+#endif
/* all members below initialized via memset */
u8 __nfct_init_offset[0];
@@ -117,9 +120,6 @@ struct nf_conn {
/* Extensions */
struct nf_ct_ext *ext;
-#if IS_ENABLED(CONFIG_NF_NAT)
- struct rhlist_head nat_bysource;
-#endif
/* Storage reserved for other modules, must be the last member */
union nf_conntrack_proto proto;
};
--
2.7.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf] netfilter: nat: fix crash when conntrack entry is re-used
2016-11-23 0:11 [PATCH nf] netfilter: nat: fix crash when conntrack entry is re-used Florian Westphal
@ 2016-11-24 12:53 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-11-24 12:53 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Wed, Nov 23, 2016 at 01:11:03AM +0100, Florian Westphal wrote:
> Stas Nichiporovich reports oops in nf_nat_bysource_cmp(), trying to
> access nf_conn struct at address 0xffffffffffffff50.
>
> This is the result of fetching a null rhash list (struct embedded at
> offset 176; 0 - 176 gets us ...fff50).
>
> The problem is that conntrack entries are allocated from a
> SLAB_DESTROY_BY_RCU cache, i.e. entries can be free'd and reused
> on another cpu while nf nat bysource hash access the same conntrack entry.
>
> Freeing is fine (we hold rcu read lock); zeroing rhlist_head isn't.
>
> -> Move the rhlist struct outside of the memset()-inited area.
Also applied, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-11-24 12:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-23 0:11 [PATCH nf] netfilter: nat: fix crash when conntrack entry is re-used Florian Westphal
2016-11-24 12:53 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.