Commit 7d3de071 authored Feb 15, 2025 by Pablo Neira Ayuso Committed by Dong Chenchen Feb 15, 2025

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

stable inclusion
from stable-v6.6.72
commit d5807dd1328bbc86e059c5de80d1bbee9d58ca3d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQQN
CVE: CVE-2025-21648

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d5807dd1328bbc86e059c5de80d1bbee9d58ca3d



--------------------------------

[ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ]

Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
resizing hashtable because __GFP_NOWARN is unset. See:

  0708a0af ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")

Note: hashtable resize is only possible from init_netns.

Fixes: 9cc1c73a ("netfilter: conntrack: avoid integer overflow when resizing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent 01e57e5f

net/netfilter/nf_conntrack_core.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -2568,12 +2568,15 @@ void nf_ct_alloc_hashtable(unsigned int sizep, int nulls)
		struct hlist_nulls_head *hash;
		unsigned int nr_slots, i;

		if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head)))
		if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head)))
		return NULL;

		BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
		nr_slots = sizep = roundup(sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));

		if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head)))
		return NULL;

		hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL);

		if (hash && nulls)