Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 93bc4e89 authored by Pekka Enberg's avatar Pekka Enberg Committed by David S. Miller
Browse files

netfilter: fix double-free and use-after free 



As suggested by Patrick McHardy, introduce a __krealloc() that doesn't
free the original buffer to fix a double-free and use-after-free bug
introduced by me in netfilter that uses RCU.

Reported-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPekka Enberg <penberg@cs.helsinki.fi>
Tested-by: default avatarDieter Ries <clip2@gmx.de>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3918fed5

include/linux/slab.h

+1 −0
Original line number Diff line number Diff line
@@ -96,6 +96,7 @@ int kmem_ptr_validate(struct kmem_cache *cachep, const void *ptr); 
/*

 * Common kmalloc functions provided by all allocators

 */

void * __must_check __krealloc(const void *, size_t, gfp_t);

void * __must_check krealloc(const void *, size_t, gfp_t);

void kfree(const void *);

size_t ksize(const void *);

mm/util.c

+34 −10
Original line number Diff line number Diff line
@@ -68,25 +68,22 @@ void *kmemdup(const void *src, size_t len, gfp_t gfp) 
EXPORT_SYMBOL(kmemdup);



/**

 * krealloc - reallocate memory. The contents will remain unchanged.

 * __krealloc - like krealloc() but don't free @p.

 * @p: object to reallocate memory for.

 * @new_size: how many bytes of memory are required.

 * @flags: the type of memory to allocate.

 *

 * The contents of the object pointed to are preserved up to the

 * lesser of the new and old sizes.  If @p is %NULL, krealloc()

 * behaves exactly like kmalloc().  If @size is 0 and @p is not a

 * %NULL pointer, the object pointed to is freed.

 * This function is like krealloc() except it never frees the originally

 * allocated buffer. Use this if you don't want to free the buffer immediately

 * like, for example, with RCU.

 */

void *krealloc(const void *p, size_t new_size, gfp_t flags)

void *__krealloc(const void *p, size_t new_size, gfp_t flags)

{

	void *ret;

	size_t ks = 0;



	if (unlikely(!new_size)) {

		kfree(p);

	if (unlikely(!new_size))

		return ZERO_SIZE_PTR;

	}



	if (p)

		ks = ksize(p);
@@ -95,10 +92,37 @@ void *krealloc(const void *p, size_t new_size, gfp_t flags) 
		return (void *)p;



	ret = kmalloc_track_caller(new_size, flags);

	if (ret && p) {

	if (ret && p)

		memcpy(ret, p, ks);



	return ret;

}

EXPORT_SYMBOL(__krealloc);



/**

 * krealloc - reallocate memory. The contents will remain unchanged.

 * @p: object to reallocate memory for.

 * @new_size: how many bytes of memory are required.

 * @flags: the type of memory to allocate.

 *

 * The contents of the object pointed to are preserved up to the

 * lesser of the new and old sizes.  If @p is %NULL, krealloc()

 * behaves exactly like kmalloc().  If @size is 0 and @p is not a

 * %NULL pointer, the object pointed to is freed.

 */

void *krealloc(const void *p, size_t new_size, gfp_t flags)

{

	void *ret;



	if (unlikely(!new_size)) {

		kfree(p);

		return ZERO_SIZE_PTR;

	}



	ret = __krealloc(p, new_size, flags);

	if (ret && p != ret)

		kfree(p);



	return ret;

}

EXPORT_SYMBOL(krealloc);

net/netfilter/nf_conntrack_extend.c

+1 −1
Original line number Diff line number Diff line
@@ -95,7 +95,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp) 
	newlen = newoff + t->len;

	rcu_read_unlock();



	new = krealloc(ct->ext, newlen, gfp);

	new = __krealloc(ct->ext, newlen, gfp);

	if (!new)

		return NULL;