]>
Commit | Line | Data |
---|---|---|
a65d4bac GKH |
1 | From foo@baz Sat Jul 28 10:25:26 CEST 2018 |
2 | From: Alexey Kodanev <alexey.kodanev@oracle.com> | |
3 | Date: Thu, 31 May 2018 19:53:33 +0300 | |
4 | Subject: netfilter: nf_tables: check msg_type before nft_trans_set(trans) | |
5 | ||
6 | From: Alexey Kodanev <alexey.kodanev@oracle.com> | |
7 | ||
8 | [ Upstream commit 9c7f96fd77b0dbe1fe7ed1f9c462c45dc48a1076 ] | |
9 | ||
10 | The patch moves the "trans->msg_type == NFT_MSG_NEWSET" check before | |
11 | using nft_trans_set(trans). Otherwise we can get out of bounds read. | |
12 | ||
13 | For example, KASAN reported the one when running 0001_cache_handling_0 nft | |
14 | test. In this case "trans->msg_type" was NFT_MSG_NEWTABLE: | |
15 | ||
16 | [75517.177808] BUG: KASAN: slab-out-of-bounds in nft_set_lookup_global+0x22f/0x270 [nf_tables] | |
17 | [75517.279094] Read of size 8 at addr ffff881bdb643fc8 by task nft/7356 | |
18 | ... | |
19 | [75517.375605] CPU: 26 PID: 7356 Comm: nft Tainted: G E 4.17.0-rc7.1.x86_64 #1 | |
20 | [75517.489587] Hardware name: Oracle Corporation SUN SERVER X4-2 | |
21 | [75517.618129] Call Trace: | |
22 | [75517.648821] dump_stack+0xd1/0x13b | |
23 | [75517.691040] ? show_regs_print_info+0x5/0x5 | |
24 | [75517.742519] ? kmsg_dump_rewind_nolock+0xf5/0xf5 | |
25 | [75517.799300] ? lock_acquire+0x143/0x310 | |
26 | [75517.846738] print_address_description+0x85/0x3a0 | |
27 | [75517.904547] kasan_report+0x18d/0x4b0 | |
28 | [75517.949892] ? nft_set_lookup_global+0x22f/0x270 [nf_tables] | |
29 | [75518.019153] ? nft_set_lookup_global+0x22f/0x270 [nf_tables] | |
30 | [75518.088420] ? nft_set_lookup_global+0x22f/0x270 [nf_tables] | |
31 | [75518.157689] nft_set_lookup_global+0x22f/0x270 [nf_tables] | |
32 | [75518.224869] nf_tables_newsetelem+0x1a5/0x5d0 [nf_tables] | |
33 | [75518.291024] ? nft_add_set_elem+0x2280/0x2280 [nf_tables] | |
34 | [75518.357154] ? nla_parse+0x1a5/0x300 | |
35 | [75518.401455] ? kasan_kmalloc+0xa6/0xd0 | |
36 | [75518.447842] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink] | |
37 | [75518.507743] ? nfnetlink_rcv+0x7a5/0x1bdf [nfnetlink] | |
38 | [75518.569745] ? nfnl_err_reset+0x3c0/0x3c0 [nfnetlink] | |
39 | [75518.631711] ? lock_acquire+0x143/0x310 | |
40 | [75518.679133] ? netlink_deliver_tap+0x9b/0x1070 | |
41 | [75518.733840] ? kasan_unpoison_shadow+0x31/0x40 | |
42 | [75518.788542] netlink_unicast+0x45d/0x680 | |
43 | [75518.837111] ? __isolate_free_page+0x890/0x890 | |
44 | [75518.891913] ? netlink_attachskb+0x6b0/0x6b0 | |
45 | [75518.944542] netlink_sendmsg+0x6fa/0xd30 | |
46 | [75518.993107] ? netlink_unicast+0x680/0x680 | |
47 | [75519.043758] ? netlink_unicast+0x680/0x680 | |
48 | [75519.094402] sock_sendmsg+0xd9/0x160 | |
49 | [75519.138810] ___sys_sendmsg+0x64d/0x980 | |
50 | [75519.186234] ? copy_msghdr_from_user+0x350/0x350 | |
51 | [75519.243118] ? lock_downgrade+0x650/0x650 | |
52 | [75519.292738] ? do_raw_spin_unlock+0x5d/0x250 | |
53 | [75519.345456] ? _raw_spin_unlock+0x24/0x30 | |
54 | [75519.395065] ? __handle_mm_fault+0xbde/0x3410 | |
55 | [75519.448830] ? sock_setsockopt+0x3d2/0x1940 | |
56 | [75519.500516] ? __lock_acquire.isra.25+0xdc/0x19d0 | |
57 | [75519.558448] ? lock_downgrade+0x650/0x650 | |
58 | [75519.608057] ? __audit_syscall_entry+0x317/0x720 | |
59 | [75519.664960] ? __fget_light+0x58/0x250 | |
60 | [75519.711325] ? __sys_sendmsg+0xde/0x170 | |
61 | [75519.758850] __sys_sendmsg+0xde/0x170 | |
62 | [75519.804193] ? __ia32_sys_shutdown+0x90/0x90 | |
63 | [75519.856725] ? syscall_trace_enter+0x897/0x10e0 | |
64 | [75519.912354] ? trace_event_raw_event_sys_enter+0x920/0x920 | |
65 | [75519.979432] ? __audit_syscall_entry+0x720/0x720 | |
66 | [75520.036118] do_syscall_64+0xa3/0x3d0 | |
67 | [75520.081248] ? prepare_exit_to_usermode+0x47/0x1d0 | |
68 | [75520.139904] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
69 | [75520.201680] RIP: 0033:0x7fc153320ba0 | |
70 | [75520.245772] RSP: 002b:00007ffe294c3638 EFLAGS: 00000246 ORIG_RAX: 000000000000002e | |
71 | [75520.337708] RAX: ffffffffffffffda RBX: 00007ffe294c4820 RCX: 00007fc153320ba0 | |
72 | [75520.424547] RDX: 0000000000000000 RSI: 00007ffe294c46b0 RDI: 0000000000000003 | |
73 | [75520.511386] RBP: 00007ffe294c47b0 R08: 0000000000000004 R09: 0000000002114090 | |
74 | [75520.598225] R10: 00007ffe294c30a0 R11: 0000000000000246 R12: 00007ffe294c3660 | |
75 | [75520.684961] R13: 0000000000000001 R14: 00007ffe294c3650 R15: 0000000000000001 | |
76 | ||
77 | [75520.790946] Allocated by task 7356: | |
78 | [75520.833994] kasan_kmalloc+0xa6/0xd0 | |
79 | [75520.878088] __kmalloc+0x189/0x450 | |
80 | [75520.920107] nft_trans_alloc_gfp+0x20/0x190 [nf_tables] | |
81 | [75520.983961] nf_tables_newtable+0xcd0/0x1bd0 [nf_tables] | |
82 | [75521.048857] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink] | |
83 | [75521.108655] netlink_unicast+0x45d/0x680 | |
84 | [75521.157013] netlink_sendmsg+0x6fa/0xd30 | |
85 | [75521.205271] sock_sendmsg+0xd9/0x160 | |
86 | [75521.249365] ___sys_sendmsg+0x64d/0x980 | |
87 | [75521.296686] __sys_sendmsg+0xde/0x170 | |
88 | [75521.341822] do_syscall_64+0xa3/0x3d0 | |
89 | [75521.386957] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
90 | ||
91 | [75521.467867] Freed by task 23454: | |
92 | [75521.507804] __kasan_slab_free+0x132/0x180 | |
93 | [75521.558137] kfree+0x14d/0x4d0 | |
94 | [75521.596005] free_rt_sched_group+0x153/0x280 | |
95 | [75521.648410] sched_autogroup_create_attach+0x19a/0x520 | |
96 | [75521.711330] ksys_setsid+0x2ba/0x400 | |
97 | [75521.755529] __ia32_sys_setsid+0xa/0x10 | |
98 | [75521.802850] do_syscall_64+0xa3/0x3d0 | |
99 | [75521.848090] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
100 | ||
101 | [75521.929000] The buggy address belongs to the object at ffff881bdb643f80 | |
102 | which belongs to the cache kmalloc-96 of size 96 | |
103 | [75522.079797] The buggy address is located 72 bytes inside of | |
104 | 96-byte region [ffff881bdb643f80, ffff881bdb643fe0) | |
105 | [75522.221234] The buggy address belongs to the page: | |
106 | [75522.280100] page:ffffea006f6d90c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0 | |
107 | [75522.377443] flags: 0x2fffff80000100(slab) | |
108 | [75522.426956] raw: 002fffff80000100 0000000000000000 0000000000000000 0000000180200020 | |
109 | [75522.521275] raw: ffffea006e6fafc0 0000000c0000000c ffff881bf180f400 0000000000000000 | |
110 | [75522.615601] page dumped because: kasan: bad access detected | |
111 | ||
112 | Fixes: 37a9cc525525 ("netfilter: nf_tables: add generation mask to sets") | |
113 | Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> | |
114 | Acked-by: Florian Westphal <fw@strlen.de> | |
115 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | |
116 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | |
117 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
118 | --- | |
119 | net/netfilter/nf_tables_api.c | 11 ++++++----- | |
120 | 1 file changed, 6 insertions(+), 5 deletions(-) | |
121 | ||
122 | --- a/net/netfilter/nf_tables_api.c | |
123 | +++ b/net/netfilter/nf_tables_api.c | |
124 | @@ -2710,12 +2710,13 @@ static struct nft_set *nf_tables_set_loo | |
125 | u32 id = ntohl(nla_get_be32(nla)); | |
126 | ||
127 | list_for_each_entry(trans, &net->nft.commit_list, list) { | |
128 | - struct nft_set *set = nft_trans_set(trans); | |
129 | + if (trans->msg_type == NFT_MSG_NEWSET) { | |
130 | + struct nft_set *set = nft_trans_set(trans); | |
131 | ||
132 | - if (trans->msg_type == NFT_MSG_NEWSET && | |
133 | - id == nft_trans_set_id(trans) && | |
134 | - nft_active_genmask(set, genmask)) | |
135 | - return set; | |
136 | + if (id == nft_trans_set_id(trans) && | |
137 | + nft_active_genmask(set, genmask)) | |
138 | + return set; | |
139 | + } | |
140 | } | |
141 | return ERR_PTR(-ENOENT); | |
142 | } |