Commit e7577a06 authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'nf-26-03-19' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*:

1) Fix UaF when netfilter bpf link goes away while nfnetlink dumps
   current hook list, we have to wait until rcu readers are gone.

2) Fix UaF when flowtable fails to register all devices, similar
   bug as 1). From Pablo Neira Ayuso.

3) nfnetlink_osf fails to properly validate option length fields.
   From Weiming Shi.

netfilter pull request nf-26-03-19

* tag 'nf-26-03-19' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  nfnetlink_osf: validate individual option lengths in fingerprints
  netfilter: nf_tables: release flowtable after rcu grace period on error
  netfilter: bpf: defer hook memory release until rcu readers are done
====================

Link: https://patch.msgid.link/20260319093834.19933-1-fw@strlen.de


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents d75ec7e8 dbdfaae9

net/netfilter/nf_bpf_link.c

+1 −1
Original line number Diff line number Diff line
@@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog, 


static const struct bpf_link_ops bpf_nf_link_lops = {

	.release = bpf_nf_link_release,

	.dealloc = bpf_nf_link_dealloc,

	.dealloc_deferred = bpf_nf_link_dealloc,

	.detach = bpf_nf_link_detach,

	.show_fdinfo = bpf_nf_link_show_info,

	.fill_link_info = bpf_nf_link_fill_link_info,

net/netfilter/nf_tables_api.c

+1 −0
Original line number Diff line number Diff line
@@ -9203,6 +9203,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb, 
	return 0;



err_flowtable_hooks:

	synchronize_rcu();

	nft_trans_destroy(trans);

err_flowtable_trans:

	nft_hooks_destroy(&flowtable->hook_list);

net/netfilter/nfnetlink_osf.c

+13 −0
Original line number Diff line number Diff line
@@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, 
{

	struct nf_osf_user_finger *f;

	struct nf_osf_finger *kf = NULL, *sf;

	unsigned int tot_opt_len = 0;

	int err = 0;

	int i;



	if (!capable(CAP_NET_ADMIN))

		return -EPERM;
@@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, 
	if (f->opt_num > ARRAY_SIZE(f->opt))

		return -EINVAL;



	for (i = 0; i < f->opt_num; i++) {

		if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)

			return -EINVAL;

		if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)

			return -EINVAL;



		tot_opt_len += f->opt[i].length;

		if (tot_opt_len > MAX_IPOPTLEN)

			return -EINVAL;

	}



	if (!memchr(f->genre, 0, MAXGENRELEN) ||

	    !memchr(f->subtype, 0, MAXGENRELEN) ||

	    !memchr(f->version, 0, MAXGENRELEN))