From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D21ABC0502C for ; Mon, 29 Aug 2022 14:03:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230086AbiH2ODb (ORCPT ); Mon, 29 Aug 2022 10:03:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbiH2OD3 (ORCPT ); Mon, 29 Aug 2022 10:03:29 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D5D9832C8; Mon, 29 Aug 2022 07:03:26 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1oSfMG-0000t9-Ln; Mon, 29 Aug 2022 16:03:20 +0200 Date: Mon, 29 Aug 2022 16:03:20 +0200 From: Florian Westphal To: john.p.donnelly@oracle.com Cc: Florian Westphal , netfilter-devel@vger.kernel.org, syzkaller@googlegroups.com, george.kennedy@oracle.com, vegard.nossum@oracle.com, bridge@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Harshit Mogalapalli Subject: Re: [PATCH nf] netfilter: ebtables: reject blobs that don't provide all entry points Message-ID: <20220829140320.GB27814@breakpoint.cc> References: <20220820070331.48817-1-harshit.m.mogalapalli@oracle.com> <20220820173555.131326-1-fw@strlen.de> <93eca5ab-46ee-241a-b01c-a6131b28ba29@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <93eca5ab-46ee-241a-b01c-a6131b28ba29@oracle.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org john.p.donnelly@oracle.com wrote: > On 8/20/22 12:35 PM, Florian Westphal wrote: > > For some reason ebtables reject blobs that provide entry points that are > > not supported by the table. > > > > What it should instead reject is the opposite, i.e. rulesets that > > DO NOT provide an entry point that is supported by the table. > > > > t->valid_hooks is the bitmask of hooks (input, forward ...) that will > > see packets. So, providing an entry point that is not support is > > harmless (never called/used), but the reverse is NOT, this will cause > > crash because the ebtables traverser doesn't expect a NULL blob for > > a location its receiving packets for. > > > > Instead of fixing all the individual checks, do what iptables is doing and > > reject all blobs that doesn't provide the expected hooks. > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Reported-by: Harshit Mogalapalli > > Signed-off-by: Florian Westphal > > Hi, > > Could you please add the panic stack mentioned above and syzkaller > reproducer ID to the commit text ? I did not see a reproducer ID. What ended up in the tree is this: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7997eff82828304b780dc0a39707e1946d6f1ebf From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 6361540500 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 6647040393 Date: Mon, 29 Aug 2022 16:03:20 +0200 From: Florian Westphal Message-ID: <20220829140320.GB27814@breakpoint.cc> References: <20220820070331.48817-1-harshit.m.mogalapalli@oracle.com> <20220820173555.131326-1-fw@strlen.de> <93eca5ab-46ee-241a-b01c-a6131b28ba29@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <93eca5ab-46ee-241a-b01c-a6131b28ba29@oracle.com> Subject: Re: [Bridge] [PATCH nf] netfilter: ebtables: reject blobs that don't provide all entry points List-Id: Linux Ethernet Bridging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: john.p.donnelly@oracle.com Cc: vegard.nossum@oracle.com, netdev@vger.kernel.org, bridge@lists.linux-foundation.org, Florian Westphal , linux-kernel@vger.kernel.org, george.kennedy@oracle.com, syzkaller@googlegroups.com, netfilter-devel@vger.kernel.org, Harshit Mogalapalli john.p.donnelly@oracle.com wrote: > On 8/20/22 12:35 PM, Florian Westphal wrote: > > For some reason ebtables reject blobs that provide entry points that are > > not supported by the table. > > > > What it should instead reject is the opposite, i.e. rulesets that > > DO NOT provide an entry point that is supported by the table. > > > > t->valid_hooks is the bitmask of hooks (input, forward ...) that will > > see packets. So, providing an entry point that is not support is > > harmless (never called/used), but the reverse is NOT, this will cause > > crash because the ebtables traverser doesn't expect a NULL blob for > > a location its receiving packets for. > > > > Instead of fixing all the individual checks, do what iptables is doing and > > reject all blobs that doesn't provide the expected hooks. > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Reported-by: Harshit Mogalapalli > > Signed-off-by: Florian Westphal > > Hi, > > Could you please add the panic stack mentioned above and syzkaller > reproducer ID to the commit text ? I did not see a reproducer ID. What ended up in the tree is this: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7997eff82828304b780dc0a39707e1946d6f1ebf