netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex

Syzbot hit use-after-free in nf_tables_dump_sets. The problem was in
missing lock protection for nft_ct_pcpu_template_refcnt.

Before commit f102d66b335a ("netfilter: nf_tables: use dedicated
mutex to guard transactions") all transactions were serialized by global
mutex, but then global mutex was changed to local per netnamespace
commit_mutex.

This change causes use-after-free bug, when 2 netnamespaces concurently
changing nft_ct_pcpu_template_refcnt without proper locking. Fix it by
adding nft_ct_pcpu_mutex and protect all nft_ct_pcpu_template_refcnt
changes with it.

Fixes: f102d66b335a ("netfilter: nf_tables: use dedicated mutex to guard transactions")
Reported-and-tested-by: syzbot+649e339fa6658ee623d3@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 337e22d8b40b1e060e6e4bd57e0982fc87d6262b..99b1de14ff7eeac09ffb809f2270cd325ea04848 100644 (file)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -41,6 +41,7 @@ struct nft_ct_helper_obj  {
 #ifdef CONFIG_NF_CONNTRACK_ZONES
 static DEFINE_PER_CPU(struct nf_conn *, nft_ct_pcpu_template);
 static unsigned int nft_ct_pcpu_template_refcnt __read_mostly;
+static DEFINE_MUTEX(nft_ct_pcpu_mutex);
 #endif
 
 static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c,
@@ -525,8 +526,10 @@ static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
 #endif
 #ifdef CONFIG_NF_CONNTRACK_ZONES
        case NFT_CT_ZONE:
+               mutex_lock(&nft_ct_pcpu_mutex);
                if (--nft_ct_pcpu_template_refcnt == 0)
                        nft_ct_tmpl_put_pcpu();
+               mutex_unlock(&nft_ct_pcpu_mutex);
                break;
 #endif
        default:
@@ -564,9 +567,13 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
 #endif
 #ifdef CONFIG_NF_CONNTRACK_ZONES
        case NFT_CT_ZONE:
-               if (!nft_ct_tmpl_alloc_pcpu())
+               mutex_lock(&nft_ct_pcpu_mutex);
+               if (!nft_ct_tmpl_alloc_pcpu()) {
+                       mutex_unlock(&nft_ct_pcpu_mutex);
                        return -ENOMEM;
+               }
                nft_ct_pcpu_template_refcnt++;
+               mutex_unlock(&nft_ct_pcpu_mutex);
                len = sizeof(u16);
                break;
 #endif