netfilter: conntrack: Avoid nf_ct_helper_hash uses after free

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If nf_conntrack_init_start() fails (for example due to a
register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()
clean-up path frees the nf_ct_helper_hash map.

When built with NF_CONNTRACK=y, further netfilter modules (e.g:
netfilter_conntrack_ftp) can still be loaded and call
nf_conntrack_helpers_register(), independently of whether nf_conntrack
initialized correctly. This accesses the nf_ct_helper_hash dangling
pointer and causes a uaf, possibly leading to random memory corruption.

This patch guards nf_conntrack_helper_register() from accessing a freed
or uninitialized nf_ct_helper_hash pointer and fixes possible
uses-after-free when loading a conntrack module.

Cc: stable@vger.kernel.org
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Florent Revest <revest@chromium.org>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florent Revest and committed by

Pablo Neira Ayuso 2 years ago 6eef7a2b 8a9dc07b

1 changed file

expand all

net

netfilter

nf_conntrack_helper.c

net/netfilter/nf_conntrack_helper.c

··· 360 360 BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); 361 361 BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); 362 362 363 + if (!nf_ct_helper_hash) 364 + return -ENOENT; 365 + 363 366 if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) 364 367 return -EINVAL; 365 368 ··· 518 515 void nf_conntrack_helper_fini(void) 519 516 { 520 517 kvfree(nf_ct_helper_hash); 518 + nf_ct_helper_hash = NULL; 521 519 }