Bug#934168: linux-image-4.19.0-5-amd64: iptables-restore may result in NULL pointer dereference at nf_tables_newrule on startup
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Salvatore,
using the current 5.2.6-1 Debian Kernel fixes this bug.
I have checked the differences between v4.19 and v5.2 in the upstream kernel
repository and found the following commit:
Commit 9b1ef3a0e906bb4a37a71ee39c8528270b490243 from Linux Kernel Upstream:
> From 9b1ef3a0e906bb4a37a71ee39c8528270b490243 Mon Sep 17 00:00:00 2001
> From: Taehee Yoo <ap420073@gmail.com>
> Date: Tue, 19 Mar 2019 13:22:41 +0900
> Subject: [PATCH] netfilter: nf_tables: add missing ->release_ops() in error
> path of newrule()
>
> ->release_ops() callback releases resources and this is used in error path.
> If nf_tables_newrule() fails after ->select_ops(), it should release
> resources. but it can not call ->destroy() because that should be called
> after ->init().
> At this point, ->release_ops() should be used for releasing resources.
>
> Test commands:
> modprobe -rv xt_tcpudp
> iptables-nft -I INPUT -m tcp <-- error command
> lsmod
>
> Result:
> Module Size Used by
> xt_tcpudp 20480 2 <-- it should be 0
>
> Fixes: b8e204006340 ("netfilter: nft_compat: use .release_ops and remove list of extension")
> Signed-off-by: Taehee Yoo <ap420073@gmail.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/netfilter/nf_tables_api.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 2cfb173cd0b2..4e57d90f8884 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -2693,8 +2693,11 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
> nf_tables_rule_release(&ctx, rule);
> err1:
> for (i = 0; i < n; i++) {
> - if (info[i].ops != NULL)
> + if (info[i].ops) {
> module_put(info[i].ops->type->owner);
> + if (info[i].ops->type->release_ops)
> + info[i].ops->type->release_ops(info[i].ops);
> + }
> }
> kvfree(info);
> return err;
> --
> 2.22.0
AFAIK, this is not backported to Debian Linux Kernel for Buster.
It would be great if anyone can check if this is the correct commit.
I also found the following bug report for linux-image-arm64 which may
be the same:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933265
Regards,
Elias
- --
Elias Werberich <elias@werberich.de>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GnuPG-Fingerprint: EB36 7730 B5E7 8968 AE7B 69D1 4FAC B12F 72B8 04B7
GnuPG-Key-ID: 0x4FACB12F72B804B7
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0K0jVSnazNmmxaB99t00E6f5c94FAl1LVO0ACgkQ9t00E6f5
c94+HA/9EsFehdgrY8vgEOq1lQWJUYGSjkxLwvMs2HOQOtsZtGvI5USPH54KDO/H
6Q3vdJ9kHrME+2A30uefz4+mN8LM2fmCtXfXCt51sVa7AGffn7T2/K/UsiIxRRKj
t8F+gt1Ze6vAXYURQg3BErQxBWeax4hI3gOTuQ0Vo3FHhbfTVcnSsSCz5/ebwzXx
Fr+pO1qYeaEfKBRa0Dm550LmrEJmIe4nP/rEPTjUBhRk0uplu7rxXTYIq89ehKo3
9hUe1j8/HAUZy2dcLV9THp0fjBxizs8VWv2xl3gRpjkRwte9WOu8xaE11j2+/5TE
GT2wKs7VCrH+y6hwPnYOnl0pQI8tLxreh/3MYfEcCVAU/xuoRIZgdQ0M9poa0G3T
aOD5tcWHqYh8EaPOPYjyDlvCfjQT4AHTj//HUlBH9meehUk6RRWYGsFUo25N2W21
uyxGkuoDOgaddnEOt+Hjk4A5x7bvUFuc+rmgLRUICMUySeq0aYvPUASLtojOycmy
W7YM5qmZlK9wBdfq7v4+zNa0iWkP/S87SHNtuhzk22XNzegm+290FvBsFzmVPyOJ
30w+kmGo3xL5jSZvHMSerj00t2AkNY13G72Ip1V6EGLztD1UqHCaXsbYVbOQG2Vc
LDVhhN2RsgS2S2An7UJYJgflB07jZW63mT8jOkXZ2UmPtIf42Ic=
=CUG4
-----END PGP SIGNATURE-----
Reply to: