Re: [PATCH 3.19 176/177] netfilter: x_tables: fix cgroup matching on non-full sks

From: Daniel Borkmann
Date: Sun May 03 2015 - 17:20:52 EST

Next message: Guenter Roeck: "Re: [PATCH 3.19 000/177] 3.19.7-stable review"
Previous message: Robert Schwebel: "earlycon: no match?"
In reply to: Greg Kroah-Hartman: "Re: [PATCH 3.19 176/177] netfilter: x_tables: fix cgroup matching on non-full sks"
Next in thread: Pablo Neira Ayuso: "Re: [PATCH 3.19 176/177] netfilter: x_tables: fix cgroup matching on non-full sks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Greg, hi Pablo,

On 05/03/2015 08:45 PM, Greg Kroah-Hartman wrote:

On Sun, May 03, 2015 at 12:47:17AM +0300, Thomas Backlund wrote:

Den 02.05.2015 22:03, Greg Kroah-Hartman skrev:

3.19-stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <daniel@xxxxxxxxxxxxx>

commit afb7718016fcb0370ac29a83b2839c78b76c2960 upstream.

While originally only being intended for outgoing traffic, commit
a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for
LOCAL_IN nf hooks") enabled xt_cgroups for the NF_INET_LOCAL_IN hook
as well, in order to allow for nfacct accounting.

Besides being currently limited to early demuxes only, commit
a00e76349f35 forgot to add a check if we deal with full sockets,
i.e. in this case not with time wait sockets. TCP time wait sockets
do not have the same memory layout as full sockets, a lower memory
footprint and consequently also don't have a sk_classid member;
probing for sk_classid member there could potentially lead to a
crash.

Fixes: a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks")
Cc: Alexey Perevalov <a.perevalov@xxxxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
net/netfilter/xt_cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -39,7 +39,7 @@ cgroup_mt(const struct sk_buff *skb, str
{
const struct xt_cgroup_info *info = par->matchinfo;

- if (skb->sk == NULL)
+ if (skb->sk == NULL || !sk_fullsock(skb->sk))
return false;

return (info->id == skb->sk->sk_classid) ^ info->invert;

This one breaks the build with:

net/netfilter/xt_cgroup.c: In function 'cgroup_mt':
net/netfilter/xt_cgroup.c:42:2: error: implicit declaration of function
'sk_fullsock' [-Werror=implicit-function-declaration]

In order to fix it, you also need to add:

From 1d0ab253872cdd3d8e7913f59c266c7fd01771d0 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Sun, 15 Mar 2015 21:12:12 -0700
Subject: [PATCH] net: add sk_fullsock() helper

which in turn needs this one:

From 10feb428a5045d5eb18a5d755fbb8f0cc9645626 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Thu, 12 Mar 2015 16:44:04 -0700
Subject: [PATCH] inet: add TCP_NEW_SYN_RECV state

I've just dropped the patch, thanks for letting me know, odd that my
build tests missed it.

If you're nevertheless interested in this fix, you could use this version,
which should apply/build just fine:

http://patchwork.ozlabs.org/patch/455546/

I believe Pablo usually sends netfilter patches in bundles to you.

Thanks a lot,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Guenter Roeck: "Re: [PATCH 3.19 000/177] 3.19.7-stable review"
Previous message: Robert Schwebel: "earlycon: no match?"
In reply to: Greg Kroah-Hartman: "Re: [PATCH 3.19 176/177] netfilter: x_tables: fix cgroup matching on non-full sks"
Next in thread: Pablo Neira Ayuso: "Re: [PATCH 3.19 176/177] netfilter: x_tables: fix cgroup matching on non-full sks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]