Florian Westphal e58a171d35 netfilter: ebtables: fix table blob use-after-free ... We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not. t = find_table_lock(net, repl->name, &ret, &ebt_mutex); ... this can return a valid table, with ret != 0. This bug causes update of table->private with the new blob, but then frees the blob right away in the caller. Syzbot report: BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 ... ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious. Fixes: c58dd2dd44 ("netfilter: Can't fail and free after table replacement") Reported-by: syzbot+f61594de72d6705aea03@syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>		2023-02-22 00:22:31 +01:00
..
ila	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
netfilter	netfilter: ebtables: fix table blob use-after-free	2023-02-22 00:22:31 +01:00
addrconf.c	ip/ip6_gre: Fix non-point-to-point tunnel not generating IPv6 link local address	2023-02-01 19:52:22 -08:00
addrconf_core.c	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
addrlabel.c	ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network	2022-11-07 12:26:15 +00:00
af_inet6.c	net: Return errno in sk->sk_prot->get_port().	2022-11-21 13:05:39 +00:00
ah6.c	xfrm: ah: add extack to ah_init_state, ah6_init_state	2022-09-29 07:17:59 +02:00
anycast.c
calipso.c
datagram.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-12-13 09:49:29 +01:00
esp6.c	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next	2022-10-03 07:52:13 +01:00
esp6_offload.c	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next	2022-11-29 20:50:51 -08:00
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c
icmp.c	icmp: Fix data-races around sysctl_icmp_echo_enable_probe.	2022-07-13 12:56:49 +01:00
inet6_connection_sock.c
inet6_hashtables.c	tcp: Access &tcp_hashinfo via net.	2022-09-20 10:21:49 -07:00
ioam6.c	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
ioam6_iptunnel.c
ip6_checksum.c
ip6_fib.c	ipv6: fib6_new_sernum() optimization	2022-11-16 12:42:00 +00:00
ip6_flowlabel.c	treewide: use get_random_u32() when possible	2022-10-11 17:42:58 -06:00
ip6_gre.c	ipv6: tunnels: use DEV_STATS_INC()	2022-11-16 12:48:44 +00:00
ip6_icmp.c
ip6_input.c	tcp/udp: Make early_demux back namespacified.	2022-07-15 18:50:35 -07:00
ip6_offload.c	IPv6/GRO: generic helper to remove temporary HBH/jumbo header in driver	2022-12-12 15:41:44 -08:00
ip6_offload.h
ip6_output.c	ipv6: fix reachability confirmation with proxy_ndp	2023-01-23 11:17:37 +00:00
ip6_tunnel.c	ipv6: tunnels: use DEV_STATS_INC()	2022-11-16 12:48:44 +00:00
ip6_udp_tunnel.c
ip6_vti.c	ipv6: tunnels: use DEV_STATS_INC()	2022-11-16 12:48:44 +00:00
ip6mr.c	treewide: Convert del_timer*() to timer_shutdown*()	2022-12-25 13:38:09 -08:00
ipcomp6.c	xfrm: ipcomp: add extack to ipcomp{4,6}_init_state	2022-09-29 07:18:00 +02:00
ipv6_sockglue.c	inet6: Clean up failure path in do_ipv6_setsockopt().	2022-10-24 09:40:39 +01:00
Kconfig	crypto: lib - make the sha1 library optional	2022-07-15 16:43:59 +08:00
Makefile
mcast.c	treewide: use get_random_u32_below() instead of deprecated function	2022-11-18 02:15:15 +01:00
mcast_snoop.c
mip6.c	xfrm: mip6: add extack to mip6_destopt_init_state, mip6_rthdr_init_state	2022-09-29 07:18:01 +02:00
ndisc.c	net: fix potential refcount leak in ndisc_router_discovery()	2022-08-15 11:40:28 +01:00
netfilter.c	netfilter: Use l3mdev flow key when re-routing mangled packets	2022-05-16 13:03:29 +02:00
output_core.c	treewide: use get_random_u32_{above,below}() instead of manual loop	2022-11-18 02:15:22 +01:00
ping.c	inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().	2022-10-24 09:40:38 +01:00
proc.c
protocol.c
raw.c	ipv6: raw: Deduct extension header length in rawv6_push_pending_frames	2023-01-11 12:49:13 +00:00
reassembly.c	net: dropreason: add SKB_DROP_REASON_DUP_FRAG	2022-10-31 20:14:26 -07:00
route.c	treewide: use get_random_u32_below() instead of deprecated function	2022-11-18 02:15:15 +01:00
rpl.c
rpl_iptunnel.c
seg6.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-09-08 18:38:30 +02:00
seg6_hmac.c	net: ipv6: unexport __init-annotated seg6_hmac_net_init()	2022-06-28 21:23:30 -07:00
seg6_iptunnel.c	seg6: add support for SRv6 H.L2Encaps.Red behavior	2022-07-29 12:14:03 +01:00
seg6_local.c	net: Remove the obsolte u64_stats_fetch_*_irq() users (net).	2022-10-28 20:13:54 -07:00
sit.c	ipv6/sit: use DEV_STATS_INC() to avoid data-races	2022-11-16 12:48:44 +00:00
syncookies.c	tcp: Fix data-races around sysctl_tcp_syncookies.	2022-07-18 12:21:54 +01:00
sysctl_net_ipv6.c
tcp_ipv6.c	net/tcp: Do cleanup on tcp_md5_key_copy() failure	2022-12-01 15:53:05 -08:00
tcpv6_offload.c
tunnel6.c
udp.c	udp: Access &udp_table via net.	2022-11-16 09:43:35 +00:00
udp_impl.h	tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().	2022-10-12 17:50:37 -07:00
udp_offload.c	udp: allow header check for dodgy GSO_UDP_L4 packets.	2022-12-12 09:29:56 +00:00
udplite.c	tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().	2022-10-12 17:50:37 -07:00
xfrm6_input.c
xfrm6_output.c
xfrm6_policy.c	xfrm: Fix ignored return value in xfrm6_init()	2022-11-22 07:16:34 +01:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c	xfrm: tunnel: add extack to ipip_init_state, xfrm6_tunnel_init_state	2022-09-29 07:18:00 +02:00