Commit 280b5f71 authored Oct 09, 2024 by Florian Westphal Committed by Wang Liang Oct 09, 2024

netfilter: nft_socket: fix sk refcount leaks

stable inclusion
from stable-v6.6.52
commit 83e6fb59040e8964888afcaa5612cc1243736715
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9K2
CVE: CVE-2024-46855

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=83e6fb59040e8964888afcaa5612cc1243736715



--------------------------------

[ Upstream commit 8b26ff7af8c32cb4148b3e147c52f9e4c695209c ]

We must put 'sk' reference before returning.

Fixes: 039b1f4f ("netfilter: nft_socket: fix erroneous socket assignment")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Liang <wangliang74@huawei.com>

parent e4bfde20

net/netfilter/nft_socket.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -110,13 +110,13 @@ static void nft_socket_eval(const struct nft_expr *expr,
		*dest = READ_ONCE(sk->sk_mark);
		} else {
		regs->verdict.code = NFT_BREAK;
		return;
		goto out_put_sk;
		}
		break;
		case NFT_SOCKET_WILDCARD:
		if (!sk_fullsock(sk)) {
		regs->verdict.code = NFT_BREAK;
		return;
		goto out_put_sk;
		}
		nft_socket_wildcard(pkt, regs, sk, dest);
		break;
		@@ -124,7 +124,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
		case NFT_SOCKET_CGROUPV2:
		if (!nft_sock_get_eval_cgroupv2(dest, sk, pkt, priv->level)) {
		regs->verdict.code = NFT_BREAK;
		return;
		goto out_put_sk;
		}
		break;
		#endif
		@@ -133,6 +133,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
		regs->verdict.code = NFT_BREAK;
		}

		out_put_sk:
		if (sk != skb->sk)
		sock_gen_put(sk);
		}