Commit 3b250fd7 authored Oct 11, 2024 by Florian Westphal Committed by Wang Liang Oct 11, 2024

netfilter: nft_socket: fix sk refcount leaks

mainline inclusion
from mainline-v6.11
commit 8b26ff7af8c32cb4148b3e147c52f9e4c695209c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9K2
CVE: CVE-2024-46855

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b26ff7af8c32cb4148b3e147c52f9e4c695209c



--------------------------------

We must put 'sk' reference before returning.

Fixes: 039b1f4f ("netfilter: nft_socket: fix erroneous socket assignment")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflicts:
        net/netfilter/nft_socket.c
[conflicts due to not mergered e0bb96db ("netfilter: nft_socket: add support for cgroupsv2")]
Signed-off-by: Wang Liang <wangliang74@huawei.com>

parent 33a5644b

net/netfilter/nft_socket.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -88,13 +88,13 @@ static void nft_socket_eval(const struct nft_expr *expr,
		*dest = sk->sk_mark;
		} else {
		regs->verdict.code = NFT_BREAK;
		return;
		goto out_put_sk;
		}
		break;
		case NFT_SOCKET_WILDCARD:
		if (!sk_fullsock(sk)) {
		regs->verdict.code = NFT_BREAK;
		return;
		goto out_put_sk;
		}
		nft_socket_wildcard(pkt, regs, sk, dest);
		break;
		@@ -103,6 +103,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
		regs->verdict.code = NFT_BREAK;
		}

		out_put_sk:
		if (sk != skb->sk)
		sock_gen_put(sk);
		}