When exiting a network namespace, in cleanup_net()->ops_undo_list(),
ip_vs_ftp_ops->exit() is called before ip_vs_core_ops->exit_batch().
The ip_vs_app ip_vs_ftp and its incarnations will be freed by
unregister_ip_vs_app().
However, there could still be connections bound to ip_vs_ftp's incarnation.
cp->app points to the free'd incarnation, which will be accessed later by
__ip_vs_cleanup_batch()->ip_vs_conn_net_cleanup()->ip_vs_conn_flush()->ip_vs_conn_del()->
ip_vs_conn_expire()->ip_vs_unbind_app(), causing a uaf. This vulnarability can
lead to a local privilege escalation.
Reproduction steps:
1. create a ipvs service on (127.0.0.1:21)
2. create a ipvs destination on the service, to (127.0.0.1:<any>)
3. send a tcp packet to (127.0.0.1:21)
4. exit the network namespace
I think the fix should flush all connection to ftp before unregistration.
The simpler fix is to delete ip_vs_ftp_ops->exit, and defer the unregistration
of ip_vs_ftp to ip_vs_app_net_cleanup(), which will unregister all ip_vs_app.
It's after ip_vs_conn_net_cleanup() so there is no uaf issue. This patch
seems to solve the issue but has't been fully tested yet, and is also not
graceful.
Signed-off-by: Slavin Liu <slavin...@gmail.com>
---
net/netfilter/ipvs/ip_vs_ftp.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index d8a284999544..68def1106681 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -598,22 +598,9 @@ static int __net_init __ip_vs_ftp_init(struct net *net)
unregister_ip_vs_app(ipvs, &ip_vs_ftp);
return ret;
}
-/*
- * netns exit
- */
-static void __ip_vs_ftp_exit(struct net *net)
-{
- struct netns_ipvs *ipvs = net_ipvs(net);
-
- if (!ipvs)
- return;
-
- unregister_ip_vs_app(ipvs, &ip_vs_ftp);
-}
static struct pernet_operations ip_vs_ftp_ops = {
.init = __ip_vs_ftp_init,
- .exit = __ip_vs_ftp_exit,
};
static int __init ip_vs_ftp_init(void)
--
2.34.1
