From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09CE8C32774 for ; Sat, 20 Aug 2022 16:27:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346141AbiHTQ1U (ORCPT ); Sat, 20 Aug 2022 12:27:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229605AbiHTQ1T (ORCPT ); Sat, 20 Aug 2022 12:27:19 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB0F55927D; Sat, 20 Aug 2022 09:27:17 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1oPRJJ-0006ky-Aj; Sat, 20 Aug 2022 18:26:57 +0200 Date: Sat, 20 Aug 2022 18:26:57 +0200 From: Florian Westphal To: Harshit Mogalapalli Cc: syzkaller@googlegroups.com, george.kennedy@oracle.com, vegard.nossum@oracle.com, john.p.donnelly@oracle.com, Pablo Neira Ayuso , Jozsef Kadlecsik , Roopa Prabhu , Nikolay Aleksandrov , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] netfilter: ebtables: fix a NULL pointer dereference in ebt_do_table() Message-ID: References: <20220820070331.48817-1-harshit.m.mogalapalli@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220820070331.48817-1-harshit.m.mogalapalli@oracle.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Harshit Mogalapalli wrote: > In ebt_do_table() function dereferencing 'private->hook_entry[hook]' > can lead to NULL pointer dereference. So add a check to prevent that. This looks incorrect, i.e. paperimg over the problem. If hook_entry[hook] is NULL, how did this make it to the eval loop? I guess ebtables lacks a sanity check on incoming ruleset? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7DD3A41765 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1F64840977 Date: Sat, 20 Aug 2022 18:26:57 +0200 From: Florian Westphal Message-ID: References: <20220820070331.48817-1-harshit.m.mogalapalli@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220820070331.48817-1-harshit.m.mogalapalli@oracle.com> Subject: Re: [Bridge] [PATCH] netfilter: ebtables: fix a NULL pointer dereference in ebt_do_table() List-Id: Linux Ethernet Bridging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Harshit Mogalapalli Cc: john.p.donnelly@oracle.com, vegard.nossum@oracle.com, coreteam@netfilter.org, netdev@vger.kernel.org, Nikolay Aleksandrov , bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jozsef Kadlecsik , george.kennedy@oracle.com, Eric Dumazet , syzkaller@googlegroups.com, netfilter-devel@vger.kernel.org, Roopa Prabhu , Jakub Kicinski , Paolo Abeni , "David S. Miller" , Pablo Neira Ayuso Harshit Mogalapalli wrote: > In ebt_do_table() function dereferencing 'private->hook_entry[hook]' > can lead to NULL pointer dereference. So add a check to prevent that. This looks incorrect, i.e. paperimg over the problem. If hook_entry[hook] is NULL, how did this make it to the eval loop? I guess ebtables lacks a sanity check on incoming ruleset?