releases/4.9.124/netfilter-nf_conntrack-fix-possible-possible-crash-on-module-loading.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Wed Aug 22 09:42:09 CEST 2018
 From: Andrey Ryabinin <aryabinin@virtuozzo.com>
 Date: Fri, 6 Jul 2018 16:38:53 +0300
 Subject: netfilter: nf_conntrack: Fix possible possible crash on module loading.

 From: Andrey Ryabinin <aryabinin@virtuozzo.com>

 [ Upstream commit 2045cdfa1b40d66f126f3fd05604fc7c754f0022 ]

 Loading the nf_conntrack module with doubled hashsize parameter, i.e.
 	  modprobe nf_conntrack hashsize=12345 hashsize=12345
 causes NULL-ptr deref.

 If 'hashsize' specified twice, the nf_conntrack_set_hashsize() function
 will be called also twice.
 The first nf_conntrack_set_hashsize() call will set the
 'nf_conntrack_htable_size' variable:

 	nf_conntrack_set_hashsize()
 		...
 		/* On boot, we can set this without any fancy locking. */
 		if (!nf_conntrack_htable_size)
 			return param_set_uint(val, kp);

 But on the second invocation, the nf_conntrack_htable_size is already set,
 so the nf_conntrack_set_hashsize() will take a different path and call
 the nf_conntrack_hash_resize() function. Which will crash on the attempt
 to dereference 'nf_conntrack_hash' pointer:

 	BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 	RIP: 0010:nf_conntrack_hash_resize+0x255/0x490 [nf_conntrack]
 	Call Trace:
 	 nf_conntrack_set_hashsize+0xcd/0x100 [nf_conntrack]
 	 parse_args+0x1f9/0x5a0
 	 load_module+0x1281/0x1a50
 	 __se_sys_finit_module+0xbe/0xf0
 	 do_syscall_64+0x7c/0x390
 	 entry_SYSCALL_64_after_hwframe+0x49/0xbe

 Fix this, by checking !nf_conntrack_hash instead of
 !nf_conntrack_htable_size. nf_conntrack_hash will be initialized only
 after the module loaded, so the second invocation of the
 nf_conntrack_set_hashsize() won't crash, it will just reinitialize
 nf_conntrack_htable_size again.

 Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/netfilter/nf_conntrack_core.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
 @@ -1822,7 +1822,7 @@ int nf_conntrack_set_hashsize(const char
  		return -EOPNOTSUPP;

  	/* On boot, we can set this without any fancy locking. */
 -	if (!nf_conntrack_htable_size)
 +	if (!nf_conntrack_hash)
  		return param_set_uint(val, kp);

  	rc = kstrtouint(val, 0, &hashsize);
	From foo@baz Wed Aug 22 09:42:09 CEST 2018
	From: Andrey Ryabinin <aryabinin@virtuozzo.com>
	Date: Fri, 6 Jul 2018 16:38:53 +0300
	Subject: netfilter: nf_conntrack: Fix possible possible crash on module loading.

	From: Andrey Ryabinin <aryabinin@virtuozzo.com>

	[ Upstream commit 2045cdfa1b40d66f126f3fd05604fc7c754f0022 ]

	Loading the nf_conntrack module with doubled hashsize parameter, i.e.
	modprobe nf_conntrack hashsize=12345 hashsize=12345
	causes NULL-ptr deref.

	If 'hashsize' specified twice, the nf_conntrack_set_hashsize() function
	will be called also twice.
	The first nf_conntrack_set_hashsize() call will set the
	'nf_conntrack_htable_size' variable:

	nf_conntrack_set_hashsize()
	...
	/* On boot, we can set this without any fancy locking. */
	if (!nf_conntrack_htable_size)
	return param_set_uint(val, kp);

	But on the second invocation, the nf_conntrack_htable_size is already set,
	so the nf_conntrack_set_hashsize() will take a different path and call
	the nf_conntrack_hash_resize() function. Which will crash on the attempt
	to dereference 'nf_conntrack_hash' pointer:

	BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
	RIP: 0010:nf_conntrack_hash_resize+0x255/0x490 [nf_conntrack]
	Call Trace:
	nf_conntrack_set_hashsize+0xcd/0x100 [nf_conntrack]
	parse_args+0x1f9/0x5a0
	load_module+0x1281/0x1a50
	__se_sys_finit_module+0xbe/0xf0
	do_syscall_64+0x7c/0x390
	entry_SYSCALL_64_after_hwframe+0x49/0xbe

	Fix this, by checking !nf_conntrack_hash instead of
	!nf_conntrack_htable_size. nf_conntrack_hash will be initialized only
	after the module loaded, so the second invocation of the
	nf_conntrack_set_hashsize() won't crash, it will just reinitialize
	nf_conntrack_htable_size again.

	Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/netfilter/nf_conntrack_core.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- a/net/netfilter/nf_conntrack_core.c
	+++ b/net/netfilter/nf_conntrack_core.c
	@@ -1822,7 +1822,7 @@ int nf_conntrack_set_hashsize(const char
	return -EOPNOTSUPP;

	/* On boot, we can set this without any fancy locking. */
	- if (!nf_conntrack_htable_size)
	+ if (!nf_conntrack_hash)
	return param_set_uint(val, kp);

	rc = kstrtouint(val, 0, &hashsize);