* [PATCH nf 0/2] netfilter: nf_tables: fix nf_trace related crash
@ 2022-08-01 17:15 Florian Westphal
2022-08-01 17:15 ` [PATCH nf 1/2] netfilter: nf_tables: fix crash when nf_trace is enabled Florian Westphal
2022-08-01 17:15 ` [PATCH nf 2/2] selftests: netfilter: add test case for nf trace infrastructure Florian Westphal
0 siblings, 2 replies; 3+ messages in thread
From: Florian Westphal @ 2022-08-01 17:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
The commit e34b9ed96ce3 ("netfilter: nf_tables: avoid skb access on nf_stolen")
is broken, it adds read-access to a structure that might contain
garbage.
Fix this and extend the existing nft_trans_stress.sh script to
cover this.
Florian Westphal (2):
netfilter: nf_tables: fix crash when nf_trace is enabled
selftests: netfilter: add test case for nf trace infrastructure
net/netfilter/nf_tables_core.c | 21 +++--
.../selftests/netfilter/nft_trans_stress.sh | 78 ++++++++++++++++++-
2 files changed, 86 insertions(+), 13 deletions(-)
--
2.35.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH nf 1/2] netfilter: nf_tables: fix crash when nf_trace is enabled
2022-08-01 17:15 [PATCH nf 0/2] netfilter: nf_tables: fix nf_trace related crash Florian Westphal
@ 2022-08-01 17:15 ` Florian Westphal
2022-08-01 17:15 ` [PATCH nf 2/2] selftests: netfilter: add test case for nf trace infrastructure Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2022-08-01 17:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Hangbin Liu
nft_traceinfo is not initialized in info->trace is 0, so unconditional
access to info->pkt (or any other field except ->trace) is illegal.
Pass nft_pktinfo directly to avoid this.
Fixes: e34b9ed96ce3 ("netfilter: nf_tables: avoid skb access on nf_stolen")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_tables_core.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 3ddce24ac76d..cee3e4e905ec 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -34,25 +34,23 @@ static noinline void __nft_trace_packet(struct nft_traceinfo *info,
nft_trace_notify(info);
}
-static inline void nft_trace_packet(struct nft_traceinfo *info,
+static inline void nft_trace_packet(const struct nft_pktinfo *pkt,
+ struct nft_traceinfo *info,
const struct nft_chain *chain,
const struct nft_rule_dp *rule,
enum nft_trace_types type)
{
if (static_branch_unlikely(&nft_trace_enabled)) {
- const struct nft_pktinfo *pkt = info->pkt;
-
info->nf_trace = pkt->skb->nf_trace;
info->rule = rule;
__nft_trace_packet(info, chain, type);
}
}
-static inline void nft_trace_copy_nftrace(struct nft_traceinfo *info)
+static inline void nft_trace_copy_nftrace(const struct nft_pktinfo *pkt,
+ struct nft_traceinfo *info)
{
if (static_branch_unlikely(&nft_trace_enabled)) {
- const struct nft_pktinfo *pkt = info->pkt;
-
if (info->trace)
info->nf_trace = pkt->skb->nf_trace;
}
@@ -96,7 +94,6 @@ static noinline void __nft_trace_verdict(struct nft_traceinfo *info,
const struct nft_chain *chain,
const struct nft_regs *regs)
{
- const struct nft_pktinfo *pkt = info->pkt;
enum nft_trace_types type;
switch (regs->verdict.code) {
@@ -110,7 +107,9 @@ static noinline void __nft_trace_verdict(struct nft_traceinfo *info,
break;
default:
type = NFT_TRACETYPE_RULE;
- info->nf_trace = pkt->skb->nf_trace;
+
+ if (info->trace)
+ info->nf_trace = info->pkt->skb->nf_trace;
break;
}
@@ -271,10 +270,10 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
switch (regs.verdict.code) {
case NFT_BREAK:
regs.verdict.code = NFT_CONTINUE;
- nft_trace_copy_nftrace(&info);
+ nft_trace_copy_nftrace(pkt, &info);
continue;
case NFT_CONTINUE:
- nft_trace_packet(&info, chain, rule,
+ nft_trace_packet(pkt, &info, chain, rule,
NFT_TRACETYPE_RULE);
continue;
}
@@ -318,7 +317,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
goto next_rule;
}
- nft_trace_packet(&info, basechain, NULL, NFT_TRACETYPE_POLICY);
+ nft_trace_packet(pkt, &info, basechain, NULL, NFT_TRACETYPE_POLICY);
if (static_branch_unlikely(&nft_counters_enabled))
nft_update_chain_stats(basechain, pkt);
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nf 2/2] selftests: netfilter: add test case for nf trace infrastructure
2022-08-01 17:15 [PATCH nf 0/2] netfilter: nf_tables: fix nf_trace related crash Florian Westphal
2022-08-01 17:15 ` [PATCH nf 1/2] netfilter: nf_tables: fix crash when nf_trace is enabled Florian Westphal
@ 2022-08-01 17:15 ` Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2022-08-01 17:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Enable/disable tracing infrastructure while packets are in-flight.
This triggers KASAN splat after
e34b9ed96ce3 ("netfilter: nf_tables: avoid skb access on nf_stolen").
Signed-off-by: Florian Westphal <fw@strlen.de>
---
.../selftests/netfilter/nft_trans_stress.sh | 78 ++++++++++++++++++-
1 file changed, 76 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh
index f1affd12c4b1..4a14bca99dee 100755
--- a/tools/testing/selftests/netfilter/nft_trans_stress.sh
+++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
@@ -9,8 +9,27 @@
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
-testns=testns1
+testns=testns-$(mktemp -u "XXXXXXXX")
+
tables="foo bar baz quux"
+global_ret=0
+eret=0
+lret=0
+
+check_result()
+{
+ local r=$1
+ local OK="PASS"
+
+ if [ $r -ne 0 ] ;then
+ OK="FAIL"
+ global_ret=$r
+ fi
+
+ echo "$OK: nft $2 test returned $r"
+
+ eret=0
+}
nft --version > /dev/null 2>&1
if [ $? -ne 0 ];then
@@ -59,20 +78,75 @@ done)
sleep 1
+ip netns exec "$testns" nft -f "$tmp"
for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done
for table in $tables;do
randsleep=$((RANDOM%10))
sleep $randsleep
- ip netns exec "$testns" nft delete table inet $table 2>/dev/null
+ ip netns exec "$testns" nft delete table inet $table # 2>/dev/null
+ lret=$?
+ if [ $lret -ne 0 ]; then
+ eret=$lret
+ fi
done
+check_result $eret "add/delete"
+
randsleep=$((RANDOM%10))
sleep $randsleep
+for i in $(seq 1 10) ; do
+ (echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
+
+ lret=$?
+ if [ $lret -ne 0 ]; then
+ eret=$lret
+ fi
+done
+
+check_result $eret "reload"
+
+for i in $(seq 1 10) ; do
+ (echo "flush ruleset"; cat "$tmp"
+ echo "insert rule inet foo INPUT meta nftrace set 1"
+ echo "insert rule inet foo OUTPUT meta nftrace set 1"
+ ) | ip netns exec "$testns" nft -f /dev/stdin
+ lret=$?
+ if [ $lret -ne 0 ]; then
+ eret=$lret
+ fi
+
+ (echo "flush ruleset"; cat "$tmp"
+ ) | ip netns exec "$testns" nft -f /dev/stdin
+
+ lret=$?
+ if [ $lret -ne 0 ]; then
+ eret=$lret
+ fi
+done
+
+check_result $eret "add/delete with nftrace enabled"
+
+echo "insert rule inet foo INPUT meta nftrace set 1" >> $tmp
+echo "insert rule inet foo OUTPUT meta nftrace set 1" >> $tmp
+
+for i in $(seq 1 10) ; do
+ (echo "flush ruleset"; cat "$tmp") | ip netns exec "$testns" nft -f /dev/stdin
+
+ lret=$?
+ if [ $lret -ne 0 ]; then
+ eret=1
+ fi
+done
+
+check_result $lret "add/delete with nftrace enabled"
+
pkill -9 ping
wait
rm -f "$tmp"
ip netns del "$testns"
+
+exit $global_ret
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-01 17:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-01 17:15 [PATCH nf 0/2] netfilter: nf_tables: fix nf_trace related crash Florian Westphal
2022-08-01 17:15 ` [PATCH nf 1/2] netfilter: nf_tables: fix crash when nf_trace is enabled Florian Westphal
2022-08-01 17:15 ` [PATCH nf 2/2] selftests: netfilter: add test case for nf trace infrastructure Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.