netfilter: nf_queue: fix socket refcount bugs (!562) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Florian Westphal requested to merge fwestpha/centos-stream-9-fw:bz2060092 into main Mar 02, 2022

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2060092 Upstream Status: net.git Conflicts: none

nf_queue has accumulated significant bitrot over the last decade:

TCP_NEW_SYN_RECV type sockets that close while packet was queued to userspace cause memory corruption, see patch 1 for details.

There is no guarantee that the referenced struct sock can safely increment the refcount, it needs to use refcount_inc_not_zero(), else, we get use-after and double-free due to 0 -> 1 -> 0 transition.

The bpf socket prefetch feature means socket assigned to the skb (skb->sk) is NOT owned by the skb. For these, we get use after free because, on reinject, skb->sk may reference already released structure.

Patch 1 fixes first bug, second patch adds test case, patch 3 & 4 fix the other two issues.

Signed-off-by: Florian Westphal fwestpha@redhat.com

Edited Mar 03, 2022 by Florian Westphal

netfilter: nf_queue: fix socket refcount bugs

Merge request reports