Skip to content

Commit f90dffe

Browse files
gvrose8192gvrose8192
committed
netfilter: nf_tables: report use refcount overflow
jira VUlN-429 subsystem-sync netfilter:nf_tables 4.18.0-511 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 1689f25 upstream-diff Lots of fuzz and offsets with some minor code modifications required to match the source of truth for this commit, which is the rocky8_10 branch. Overflow use refcount checks are not complete. Add helper function to deal with object reference counter tracking. Report -EMFILE in case UINT_MAX is reached. nft_use_dec() splats in case that reference counter underflows, which should not ever happen. Add nft_use_inc_restore() and nft_use_dec_restore() which are used to restore reference counter from error and abort paths. Use u32 in nft_flowtable and nft_object since helper functions cannot work on bitfields. Remove the few early incomplete checks now that the helper functions are in place and used to check for refcount overflow. Fixes: 9651851 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 1689f25) Signed-off-by: Greg Rose <g.v.rose@ciq.com>
1 parent a2f538f commit f90dffe

File tree

4 files changed

+152
-84
lines changed

4 files changed

+152
-84
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 27 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1079,6 +1079,29 @@ int __nft_release_basechain(struct nft_ctx *ctx);
10791079

10801080
unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
10811081

1082+
static inline bool nft_use_inc(u32 *use)
1083+
{
1084+
if (*use == UINT_MAX)
1085+
return false;
1086+
1087+
(*use)++;
1088+
1089+
return true;
1090+
}
1091+
1092+
static inline void nft_use_dec(u32 *use)
1093+
{
1094+
WARN_ON_ONCE((*use)-- == 0);
1095+
}
1096+
1097+
/* For error and abort path: restore use counter to previous state. */
1098+
static inline void nft_use_inc_restore(u32 *use)
1099+
{
1100+
WARN_ON_ONCE(!nft_use_inc(use));
1101+
}
1102+
1103+
#define nft_use_dec_restore nft_use_dec
1104+
10821105
/**
10831106
* struct nft_table - nf_tables table
10841107
*
@@ -1148,8 +1171,8 @@ struct nft_object {
11481171
struct list_head list;
11491172
struct rhlist_head rhlhead;
11501173
struct nft_object_hash_key key;
1151-
u32 genmask:2,
1152-
use:30;
1174+
u32 genmask:2;
1175+
u32 use;
11531176
u64 handle;
11541177
/* runtime data below here */
11551178
const struct nft_object_ops *ops ____cacheline_aligned;
@@ -1249,8 +1272,8 @@ struct nft_flowtable {
12491272
char *name;
12501273
int hooknum;
12511274
int ops_len;
1252-
u32 genmask:2,
1253-
use:30;
1275+
u32 genmask:2;
1276+
u32 use;
12541277
u64 handle;
12551278
/* runtime data below here */
12561279
struct list_head hook_list ____cacheline_aligned;

0 commit comments

Comments
 (0)