Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1b7330db authored by Florian Westphal's avatar Florian Westphal Committed by Lee Jones
Browse files

UPSTREAM: netfilter: nft_set_rbtree: fix null deref on element insertion 



commit 61ae320a29b0540c16931816299eb86bf2b66c08 upstream.

There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():

general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
 nft_add_set_elem+0x14b0/0x2990
  nf_tables_newsetelem+0x528/0xb30

Furthermore, there is a possible use-after-free while iterating,
'node' can be free'd so we need to cache the next value to use.

Bug: 299922216
Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 899aa563)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Ie5223611ff2b9dd937648e5e0c5f4095a1c4dca7
parent f896aebc

net/netfilter/nft_set_rbtree.c

+13 −7
Original line number Diff line number Diff line
@@ -220,7 +220,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, 
{

	struct nft_set *set = (struct nft_set *)__set;

	struct rb_node *prev = rb_prev(&rbe->node);

	struct nft_rbtree_elem *rbe_prev;

	struct nft_rbtree_elem *rbe_prev = NULL;

	struct nft_set_gc_batch *gcb;



	gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC);
@@ -228,17 +228,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set, 
		return -ENOMEM;



	/* search for expired end interval coming before this element. */

	do {

	while (prev) {

		rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);

		if (nft_rbtree_interval_end(rbe_prev))

			break;



		prev = rb_prev(prev);

	} while (prev != NULL);

	}



	if (rbe_prev) {

		rb_erase(&rbe_prev->node, &priv->root);

		atomic_dec(&set->nelems);

	}



	rb_erase(&rbe->node, &priv->root);

	atomic_sub(2, &set->nelems);

	atomic_dec(&set->nelems);



	nft_set_gc_batch_add(gcb, rbe);

	nft_set_gc_batch_complete(gcb);
@@ -267,7 +271,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, 
			       struct nft_set_ext **ext)

{

	struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL;

	struct rb_node *node, *parent, **p, *first = NULL;

	struct rb_node *node, *next, *parent, **p, *first = NULL;

	struct nft_rbtree *priv = nft_set_priv(set);

	u8 genmask = nft_genmask_next(net);

	int d, err;
@@ -306,7 +310,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, 
	 * Values stored in the tree are in reversed order, starting from

	 * highest to lowest value.

	 */

	for (node = first; node != NULL; node = rb_next(node)) {

	for (node = first; node != NULL; node = next) {

		next = rb_next(node);



		rbe = rb_entry(node, struct nft_rbtree_elem, node);



		if (!nft_set_elem_active(&rbe->ext, genmask))