releases/5.4.52/netfilter-conntrack-refetch-conntrack-after-nf_connt.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 2b62181ade0918942d061e6fd6db0b7f4ed929ec Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Wed, 1 Jul 2020 13:17:40 +0200
 Subject: netfilter: conntrack: refetch conntrack after nf_conntrack_update()

 From: Pablo Neira Ayuso <pablo@netfilter.org>

 [ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ]

 __nf_conntrack_update() might refresh the conntrack object that is
 attached to the skbuff. Otherwise, this triggers UAF.

 [  633.200434] ==================================================================
 [  633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack]
 [  633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769

 [  633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388
 [  633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
 [  633.200491] Call Trace:
 [  633.200499]  dump_stack+0x7c/0xb0
 [  633.200526]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
 [  633.200532]  print_address_description.constprop.6+0x1a/0x200
 [  633.200539]  ? _raw_write_lock_irqsave+0xc0/0xc0
 [  633.200568]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
 [  633.200594]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
 [  633.200598]  kasan_report.cold.9+0x1f/0x42
 [  633.200604]  ? call_rcu+0x2c0/0x390
 [  633.200633]  ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
 [  633.200659]  nf_conntrack_update+0x34e/0x770 [nf_conntrack]
 [  633.200687]  ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack]

 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436
 Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  net/netfilter/nf_conntrack_core.c | 2 ++
  1 file changed, 2 insertions(+)

 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
 index 48db4aec02dea..200cdad3ff3ab 100644
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
 @@ -2012,6 +2012,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
  		err = __nf_conntrack_update(net, skb, ct, ctinfo);
  		if (err < 0)
  			return err;
 +
 +		ct = nf_ct_get(skb, &ctinfo);
  	}

  	return nf_confirm_cthelper(skb, ct, ctinfo);
 --
 2.25.1
	From 2b62181ade0918942d061e6fd6db0b7f4ed929ec Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Wed, 1 Jul 2020 13:17:40 +0200
	Subject: netfilter: conntrack: refetch conntrack after nf_conntrack_update()

	From: Pablo Neira Ayuso <pablo@netfilter.org>

	[ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ]

	__nf_conntrack_update() might refresh the conntrack object that is
	attached to the skbuff. Otherwise, this triggers UAF.

	[ 633.200434] ==================================================================
	[ 633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack]
	[ 633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769

	[ 633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388
	[ 633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
	[ 633.200491] Call Trace:
	[ 633.200499] dump_stack+0x7c/0xb0
	[ 633.200526] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
	[ 633.200532] print_address_description.constprop.6+0x1a/0x200
	[ 633.200539] ? _raw_write_lock_irqsave+0xc0/0xc0
	[ 633.200568] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
	[ 633.200594] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
	[ 633.200598] kasan_report.cold.9+0x1f/0x42
	[ 633.200604] ? call_rcu+0x2c0/0x390
	[ 633.200633] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
	[ 633.200659] nf_conntrack_update+0x34e/0x770 [nf_conntrack]
	[ 633.200687] ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack]

	Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436
	Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	net/netfilter/nf_conntrack_core.c \| 2 ++
	1 file changed, 2 insertions(+)

	diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
	index 48db4aec02dea..200cdad3ff3ab 100644
	--- a/net/netfilter/nf_conntrack_core.c
	+++ b/net/netfilter/nf_conntrack_core.c
	@@ -2012,6 +2012,8 @@ static int nf_conntrack_update(struct net net, struct sk_buff skb)
	err = __nf_conntrack_update(net, skb, ct, ctinfo);
	if (err < 0)
	return err;
	+
	+ ct = nf_ct_get(skb, &ctinfo);
	}

	return nf_confirm_cthelper(skb, ct, ctinfo);
	--
	2.25.1