netfilter: nfnetlink_queue: don't queue dying conntracks to userspace

When skb is queued to userspace it leaves softirq/rcu protection. skb->nfct (via conntrack extensions such as helper) could then reference modules that no longer exist if the conntrack was not yet confirmed. nf_ct_iterate_destroy() will set the DYING bit for unconfirmed conntracks, we therefore solve this race as follows: 1. take the queue spinlock. 2. check if the conntrack is unconfirmed and has dying bit set. In this case, we must discard skb while we're still inside rcu read-side section. 3. If nf_ct_iterate_destroy() is called right after the packet is queued to userspace, it will be removed from the queue via nf_ct_iterate_destroy -> nf_queue_nf_hook_drop. When userspace sends the verdict (nfnetlink takes rcu read lock), there are two cases to consider: 1. nf_ct_iterate_destroy() was called while packet was out. In this case, skb will have been removed from the queue already and no reinject takes place as we won't find a matching entry for the packet id. 2. nf_ct_iterate_destroy() gets called right after verdict callback found and removed the skb from queue list. In this case, skb->nfct is marked as dying but it is still valid. The skb will be dropped either in nf_conntrack_confirm (we don't insert DYING conntracks into hash table) or when we try to queue the skb again, but either events don't occur before the rcu read lock is dropped. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2017-07-25 18:02:34 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-07-31 13:09:39 -0400
commit: 5da773a3e81e6093c4346ee8cd356fc214d7c76c (patch)
tree: abe10a96daae1bd4a58e045771a9ebb74714c0f1
parent: e2a750070aeec7af3818065b39d61cb38627ce64 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 7c543bfbf624..c9796629858f 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -41,6 +41,10 @@
 #include "../bridge/br_private.h"
 #endif
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+#include <net/netfilter/nf_conntrack.h>
+#endif
 #define NFQNL_QMAX_DEFAULT 1024
 /* We're using struct nlattr which has 16bit nla_len. Note that nla_len
@@ -612,6 +616,18 @@ nlmsg_failure:
        return NULL;
 }
+static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+        static const unsigned long flags = IPS_CONFIRMED | IPS_DYING;
+        const struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+        if (ct && ((ct->status & flags) == IPS_DYING))
+                return true;
+#endif
+        return false;
+}
 static int
 __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
                        struct nf_queue_entry *entry)
@@ -628,6 +644,9 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
        }
        spin_lock_bh(&queue->lock);
+        if (nf_ct_drop_unconfirmed(entry))
+                goto err_out_free_nskb;
        if (queue->queue_total >= queue->queue_maxlen) {
                if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
                        failopen = 1;
author	Florian Westphal <fw@strlen.de>	2017-07-25 18:02:34 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-07-31 13:09:39 -0400
commit	5da773a3e81e6093c4346ee8cd356fc214d7c76c (patch)
tree	abe10a96daae1bd4a58e045771a9ebb74714c0f1
parent	e2a750070aeec7af3818065b39d61cb38627ce64 (diff)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 7c543bfbf624..c9796629858f 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c
@@ -41,6 +41,10 @@
41	#include "../bridge/br_private.h"	41	#include "../bridge/br_private.h"
42	#endif	42	#endif
43		43
		44	#if IS_ENABLED(CONFIG_NF_CONNTRACK)
		45	#include <net/netfilter/nf_conntrack.h>
		46	#endif
		47
44	#define NFQNL_QMAX_DEFAULT 1024	48	#define NFQNL_QMAX_DEFAULT 1024
45		49
46	/* We're using struct nlattr which has 16bit nla_len. Note that nla_len	50	/* We're using struct nlattr which has 16bit nla_len. Note that nla_len
@@ -612,6 +616,18 @@ nlmsg_failure:
612	return NULL;	616	return NULL;
613	}	617	}
614		618
		619	static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
		620	{
		621	#if IS_ENABLED(CONFIG_NF_CONNTRACK)
		622	static const unsigned long flags = IPS_CONFIRMED \| IPS_DYING;
		623	const struct nf_conn ct = (void )skb_nfct(entry->skb);
		624
		625	if (ct && ((ct->status & flags) == IPS_DYING))
		626	return true;
		627	#endif
		628	return false;
		629	}
		630
615	static int	631	static int
616	__nfqnl_enqueue_packet(struct net net, struct nfqnl_instance queue,	632	__nfqnl_enqueue_packet(struct net net, struct nfqnl_instance queue,
617	struct nf_queue_entry *entry)	633	struct nf_queue_entry *entry)
@@ -628,6 +644,9 @@ __nfqnl_enqueue_packet(struct net net, struct nfqnl_instance queue,
628	}	644	}
629	spin_lock_bh(&queue->lock);	645	spin_lock_bh(&queue->lock);
630		646
		647	if (nf_ct_drop_unconfirmed(entry))
		648	goto err_out_free_nskb;
		649
631	if (queue->queue_total >= queue->queue_maxlen) {	650	if (queue->queue_total >= queue->queue_maxlen) {
632	if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {	651	if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
633	failopen = 1;	652	failopen = 1;