All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map
@ 2016-11-06  6:40 Liping Zhang
  2016-11-07 10:58 ` Arturo Borrero Gonzalez
  2016-11-08 23:05 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Liping Zhang @ 2016-11-06  6:40 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, dalegaard, Liping Zhang

From: Liping Zhang <zlpnobody@gmail.com>

Dalegaard says:
 The following ruleset, when loaded with 'nft -f bad.txt'
 ----snip----
 flush ruleset
 table ip inlinenat {
   map sourcemap {
     type ipv4_addr : verdict;
   }

   chain postrouting {
     ip saddr vmap @sourcemap accept
   }
 }
 add chain inlinenat test
 add element inlinenat sourcemap { 100.123.10.2 : jump test }
 ----snip----

 results in a kernel oops:
 BUG: unable to handle kernel paging request at 0000000000001344
 IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
 [...]
 Call Trace:
  [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
  [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
  [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
  [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
  [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
  [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
  [<ffffffff8132c400>] ? nla_validate+0x60/0x80
  [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]

Because we forget to fill the net pointer in bind_ctx, so dereferencing
it may cause kernel crash.

Reported-by: Dalegaard <dalegaard@gmail.com>
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7d6a626..026581b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3568,6 +3568,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 		dreg = nft_type_to_reg(set->dtype);
 		list_for_each_entry(binding, &set->bindings, list) {
 			struct nft_ctx bind_ctx = {
+				.net	= ctx->net,
 				.afi	= ctx->afi,
 				.table	= ctx->table,
 				.chain	= (struct nft_chain *)binding->chain,
-- 
2.5.5



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map
  2016-11-06  6:40 [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map Liping Zhang
@ 2016-11-07 10:58 ` Arturo Borrero Gonzalez
  2016-11-07 12:52   ` Liping Zhang
  2016-11-08 23:05 ` Pablo Neira Ayuso
  1 sibling, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2016-11-07 10:58 UTC (permalink / raw)
  To: Liping Zhang
  Cc: Pablo Neira Ayuso, Netfilter Development Mailing list, dalegaard,
	Liping Zhang

On 6 November 2016 at 07:40, Liping Zhang <zlpnobody@163.com> wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
>
> Dalegaard says:
>  The following ruleset, when loaded with 'nft -f bad.txt'
>  ----snip----
>  flush ruleset
>  table ip inlinenat {
>    map sourcemap {
>      type ipv4_addr : verdict;
>    }
>
>    chain postrouting {
>      ip saddr vmap @sourcemap accept
>    }
>  }
>  add chain inlinenat test
>  add element inlinenat sourcemap { 100.123.10.2 : jump test }
>  ----snip----

Perhaps it would be good to have this simple testcase in the nft shell
testsuite so we avoid future regressions.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map
  2016-11-07 10:58 ` Arturo Borrero Gonzalez
@ 2016-11-07 12:52   ` Liping Zhang
  0 siblings, 0 replies; 4+ messages in thread
From: Liping Zhang @ 2016-11-07 12:52 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez
  Cc: Liping Zhang, Pablo Neira Ayuso,
	Netfilter Development Mailing list, dalegaard

2016-11-07 18:58 GMT+08:00 Arturo Borrero Gonzalez <arturo@debian.org>:
> On 6 November 2016 at 07:40, Liping Zhang <zlpnobody@163.com> wrote:
>> From: Liping Zhang <zlpnobody@gmail.com>
>>
>> Dalegaard says:
>>  The following ruleset, when loaded with 'nft -f bad.txt'
>>  ----snip----
>>  flush ruleset
>>  table ip inlinenat {
>>    map sourcemap {
>>      type ipv4_addr : verdict;
>>    }
>>
>>    chain postrouting {
>>      ip saddr vmap @sourcemap accept
>>    }
>>  }
>>  add chain inlinenat test
>>  add element inlinenat sourcemap { 100.123.10.2 : jump test }
>>  ----snip----
>
> Perhaps it would be good to have this simple testcase in the nft shell
> testsuite so we avoid future regressions.

Good, I will send the related patch later.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map
  2016-11-06  6:40 [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map Liping Zhang
  2016-11-07 10:58 ` Arturo Borrero Gonzalez
@ 2016-11-08 23:05 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-11-08 23:05 UTC (permalink / raw)
  To: Liping Zhang; +Cc: netfilter-devel, dalegaard, Liping Zhang

On Sun, Nov 06, 2016 at 02:40:01PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> Dalegaard says:
>  The following ruleset, when loaded with 'nft -f bad.txt'
>  ----snip----
>  flush ruleset
>  table ip inlinenat {
>    map sourcemap {
>      type ipv4_addr : verdict;
>    }
> 
>    chain postrouting {
>      ip saddr vmap @sourcemap accept
>    }
>  }
>  add chain inlinenat test
>  add element inlinenat sourcemap { 100.123.10.2 : jump test }
>  ----snip----
> 
>  results in a kernel oops:
>  BUG: unable to handle kernel paging request at 0000000000001344
>  IP: [<ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
>  [...]
>  Call Trace:
>   [<ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
>   [<ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
>   [<ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
>   [<ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
>   [<ffffffff8132c630>] ? nla_strcmp+0x40/0x50
>   [<ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
>   [<ffffffff8132c400>] ? nla_validate+0x60/0x80
>   [<ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]
> 
> Because we forget to fill the net pointer in bind_ctx, so dereferencing
> it may cause kernel crash.

Applied, thanks for fixing up this, that was fast.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-08 23:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-06  6:40 [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map Liping Zhang
2016-11-07 10:58 ` Arturo Borrero Gonzalez
2016-11-07 12:52   ` Liping Zhang
2016-11-08 23:05 ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.