From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752464AbcFXCrC (ORCPT ); Thu, 23 Jun 2016 22:47:02 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:54166 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751530AbcFXCrA (ORCPT ); Thu, 23 Jun 2016 22:47:00 -0400 Date: Thu, 23 Jun 2016 19:46:59 -0700 From: Greg Kroah-Hartman To: Florian Westphal Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Pablo Neira Ayuso Subject: Re: [PATCH 3.14 21/29] netfilter: x_tables: validate targets of jumps Message-ID: <20160624024659.GA30651@kroah.com> References: <20160622223530.496939726@linuxfoundation.org> <20160622223531.668543902@linuxfoundation.org> <20160623085450.GA4662@breakpoint.cc> <20160623091347.GB4662@breakpoint.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160623091347.GB4662@breakpoint.cc> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 23, 2016 at 11:13:47AM +0200, Florian Westphal wrote: > Florian Westphal wrote: > > Greg Kroah-Hartman wrote: > > > 3.14-stable review patch. If anyone has any objections, please let me know. > > > > I have -- this doesn't work in 3.14 as t->entries (the ruleset blob) > > is still kept percpu. > > > > > +static bool find_jump_target(const struct xt_table_info *t, > > > + const struct arpt_entry *target) > > > +{ > > > + struct arpt_entry *iter; > > > + > > > + xt_entry_foreach(iter, t->entries, t->size) { > > > > > > .. so this causes in kernel soft lockup when I try to insert a rule. > > > > I will go over the 3.14 stable queue and see if I can amend this to work > > with 3.14. > > This amended patch works for me (iptables-test.py passes except those > tests that I expected to fail due to some missing features in 3.14). > > I also briefly tried 32bit iptables/ip6tables and that seems happy > as well. The reproduces for the two bugs fail with -EINVAL. > > ebtables doesn't work (even ebtables -A INPUT -j ACCEPT fails), but > that should be solved by picking up > d26e2c9ffa385dd1b646f43c1397ba12af9e, "Revert "netfilter: ensure number > of counters is >0 in do_replace()" [ its a PARTIAL revert, so don't drop > the original patch ... ] > > Subject: netfilter: x_tables: validate targets of jumps > > commit 36472341017529e2b12573093cc0f68719300997 upstream. > > When we see a jump also check that the offset gets us to beginning of > a rule (an ipt_entry). > > The extra overhead is negible, even with absurd cases. > > 300k custom rules, 300k jumps to 'next' user chain: > [ plus one jump from INPUT to first userchain ]: > > Before: > real 0m24.874s > user 0m7.532s > sys 0m16.076s > > After: > real 0m27.464s > user 0m7.436s > sys 0m18.840s > > Signed-off-by: Florian Westphal > Signed-off-by: Pablo Neira Ayuso > Signed-off-by: Greg Kroah-Hartman > --- > Need to pass the start of the ruleset as extra argument as > t->entries won't work in 3.14 (its percpu and not even set > up for all processors at this point). Thank you for the update, now applied. greg k-h