android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8b4a6dd157
android_kernel_xiaomi_sm8450/net/bridge
History
Florian Westphal 9060abce33 netfilter: ebtables: fix table blob use-after-free 
[ Upstream commit e58a171d35e32e6e8c37cfe0e8a94406732a331f ]

We are not allowed to return an error at this point.
Looking at the code it looks like ret is always 0 at this
point, but its not.

t = find_table_lock(net, repl->name, &ret, &ebt_mutex);

... this can return a valid table, with ret != 0.

This bug causes update of table->private with the new
blob, but then frees the blob right away in the caller.

Syzbot report:

BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74
Workqueue: netns cleanup_net
Call Trace:
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613
...

ip(6)tables appears to be ok (ret should be 0 at this point) but make
this more obvious.

Fixes: c58dd2dd44 ("netfilter: Can't fail and free after table replacement")
Reported-by: syzbot+f61594de72d6705aea03@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-03-11 16:40:12 +01:00
..
netfilter netfilter: ebtables: fix table blob use-after-free 2023-03-11 16:40:12 +01:00
br_arp_nd_proxy.c net: bridge: when suppression is enabled exclude RARP packets 2021-05-19 10:12:53 +02:00
br_device.c bridge: Fix a deadlock when enabling multicast snooping 2020-12-07 17:14:43 -08:00
br_fdb.c net: bridge: fix flags interpretation for extern learn fdb entries 2021-08-18 08:59:13 +02:00
br_forward.c net: bridge: mcast: when forwarding handle filter mode and blocked flag 2020-09-23 13:24:35 -07:00
br_if.c net: bridge: fix memleak in br_add_if() 2021-08-18 08:59:13 +02:00
br_input.c net: bridge: Clear offload_fwd_mark when passing frame up bridge interface. 2022-05-25 09:17:59 +02:00
br_ioctl.c net: bridge: delete duplicated words 2020-09-18 14:12:43 -07:00
br_mdb.c net: bridge: mcast: add support for blocked port groups 2020-09-23 13:24:34 -07:00
br_mrp_netlink.c bridge: mrp: Extend br_mrp_fill_info 2020-07-14 13:46:43 -07:00
br_mrp_switchdev.c bridge: mrp: Fix the usage of br_mrp_port_switchdev_set_state 2021-02-17 11:02:29 +01:00
br_mrp.c net: bridge: mrp: Update ring transitions. 2021-07-19 09:44:46 +02:00
br_multicast.c net: bridge: multicast: fix MRD advertisement router port marking race 2021-07-20 16:05:37 +02:00
br_netfilter_hooks.c netfilter: br_netfilter: disable sabotage_in hook after first suppression 2023-02-15 17:22:12 +01:00
br_netfilter_ipv6.c netfilter: br_netfilter: Drop dst references before setting. 2022-09-15 11:32:05 +02:00
br_netlink_tunnel.c net: bridge: notify on vlan tunnel changes done via the old api 2020-07-12 15:18:24 -07:00
br_netlink.c net: bridge: fix under estimation in br_get_linkxstats_size() 2021-10-13 10:04:27 +02:00
br_nf_core.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
br_private_mrp.h bridge: mrp: Fix the usage of br_mrp_port_switchdev_set_state 2021-02-17 11:02:29 +01:00
br_private_stp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_private_tunnel.h net: bridge: vlan options: add support for tunnel mapping set/del 2020-03-17 22:47:12 -07:00
br_private.h net: bridge: mcast: use multicast_membership_interval for IGMPv3 2021-10-27 09:56:54 +02:00
br_stp_bpdu.c net: bridge: add STP xstats 2019-12-14 20:02:36 -08:00
br_stp_if.c net: remove newlines in NL_SET_ERR_MSG_MOD 2020-05-07 17:56:14 -07:00
br_stp_timer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_stp.c net: bridge: Add checks for enabling the STP. 2020-04-27 11:40:25 -07:00
br_switchdev.c net: bridge: don't notify switchdev for local FDB addresses 2021-03-30 14:32:04 +02:00
br_sysfs_br.c net: bridge: Add checks for enabling the STP. 2020-04-27 11:40:25 -07:00
br_sysfs_if.c net: bridge: use switchdev for port flags set through sysfs too 2021-03-07 12:34:07 +01:00
br_vlan_options.c net: bridge: vlan options: move the tunnel command to the nested attribute 2020-03-20 08:52:20 -07:00
br_vlan_tunnel.c net: bridge: fix vlan tunnel dst refcnt when egressing 2021-06-23 14:42:53 +02:00
br_vlan.c bridge: switchdev: Fix memory leaks when changing VLAN protocol 2022-12-02 17:39:57 +01:00
br.c net: bridge: fix flags interpretation for extern learn fdb entries 2021-08-18 08:59:13 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile bridge: mrp: Connect MRP API with the switchdev API 2020-04-27 11:40:25 -07:00