diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-01 13:17:40 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-03 14:47:03 +0200 |
commit | d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 (patch) | |
tree | 81e85019d3a1cb8cb86b649ca3460a07ddb1629d /drivers/amba/bus.c | |
parent | c4e8fa9074ad94f80e5c0dcaa16b313e50e958c5 (diff) | |
download | linux-d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3.tar.gz linux-d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3.tar.bz2 linux-d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3.zip |
netfilter: conntrack: refetch conntrack after nf_conntrack_update()
__nf_conntrack_update() might refresh the conntrack object that is
attached to the skbuff. Otherwise, this triggers UAF.
[ 633.200434] ==================================================================
[ 633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[ 633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769
[ 633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388
[ 633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
[ 633.200491] Call Trace:
[ 633.200499] dump_stack+0x7c/0xb0
[ 633.200526] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[ 633.200532] print_address_description.constprop.6+0x1a/0x200
[ 633.200539] ? _raw_write_lock_irqsave+0xc0/0xc0
[ 633.200568] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[ 633.200594] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[ 633.200598] kasan_report.cold.9+0x1f/0x42
[ 633.200604] ? call_rcu+0x2c0/0x390
[ 633.200633] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[ 633.200659] nf_conntrack_update+0x34e/0x770 [nf_conntrack]
[ 633.200687] ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack]
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436
Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'drivers/amba/bus.c')
0 files changed, 0 insertions, 0 deletions