| From e4a8cca460c381539a5403d9434a5977c453fe0b Mon Sep 17 00:00:00 2001 |
| From: Pablo Neira Ayuso <pablo@netfilter.org> |
| Date: Mon, 11 Mar 2019 13:04:16 +0100 |
| Subject: netfilter: nf_tables: use-after-free in dynamic operations |
| |
| [ Upstream commit 3f3a390dbd59d236f62cff8e8b20355ef7069e3d ] |
| |
| Smatch reports: |
| |
| net/netfilter/nf_tables_api.c:2167 nf_tables_expr_destroy() |
| error: dereferencing freed memory 'expr->ops' |
| |
| net/netfilter/nf_tables_api.c |
| 2162 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, |
| 2163 struct nft_expr *expr) |
| 2164 { |
| 2165 if (expr->ops->destroy) |
| 2166 expr->ops->destroy(ctx, expr); |
| ^^^^ |
| --> 2167 module_put(expr->ops->type->owner); |
| ^^^^^^^^^ |
| 2168 } |
| |
| Smatch says there are three functions which free expr->ops. |
| |
| Fixes: b8e204006340 ("netfilter: nft_compat: use .release_ops and remove list of extension") |
| Reported-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/netfilter/nf_tables_api.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c |
| index dc3670f2860e..f20b904873c6 100644 |
| --- a/net/netfilter/nf_tables_api.c |
| +++ b/net/netfilter/nf_tables_api.c |
| @@ -2119,9 +2119,11 @@ static int nf_tables_newexpr(const struct nft_ctx *ctx, |
| static void nf_tables_expr_destroy(const struct nft_ctx *ctx, |
| struct nft_expr *expr) |
| { |
| + const struct nft_expr_type *type = expr->ops->type; |
| + |
| if (expr->ops->destroy) |
| expr->ops->destroy(ctx, expr); |
| - module_put(expr->ops->type->owner); |
| + module_put(type->owner); |
| } |
| |
| struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, |
| -- |
| 2.19.1 |
| |
