diff options
| author | Florian Westphal <fw@strlen.de> | 2022-05-17 22:44:55 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2022-05-26 23:02:44 +0200 |
| commit | 09de09d51b0918418c3e052b7fa90611a36da221 (patch) | |
| tree | 2fe9a4c025e720781e6067b00a6fcbfbf6e5cc26 | |
| parent | 0f72f32ff4dbe72dffb87ab02b504b838581c9de (diff) | |
| download | nf-09de09d51b0918418c3e052b7fa90611a36da221.tar.gz | |
netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit
syzbot reports:
BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0xcc/0xf0 lib/list_debug.c:42
[..]
list_del include/linux/list.h:148 [inline]
cttimeout_net_exit+0x211/0x540 net/netfilter/nfnetlink_cttimeout.c:617
No reproducer so far. Looking at recent changes in this area
its clear that the free_head must not be at the end of the
structure because nf_ct_timeout structure has variable size.
Reported-by: <syzbot+92968395eedbdbd3617d@syzkaller.appspotmail.com>
Fixes: 78222bacfca9 ("netfilter: cttimeout: decouple unlink and free on netns destruction")
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | net/netfilter/nfnetlink_cttimeout.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index f069c24c61461a..af15102bc696fa 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c @@ -35,12 +35,13 @@ static unsigned int nfct_timeout_id __read_mostly; struct ctnl_timeout { struct list_head head; + struct list_head free_head; struct rcu_head rcu_head; refcount_t refcnt; char name[CTNL_TIMEOUT_NAME_MAX]; - struct nf_ct_timeout timeout; - struct list_head free_head; + /* must be at the end */ + struct nf_ct_timeout timeout; }; struct nfct_timeout_pernet { |