* [PATCH net 1/4] netfilter: nftables: fix incorrect increment of loop counter
2020-12-18 12:04 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
@ 2020-12-18 12:04 ` Pablo Neira Ayuso
2020-12-19 2:20 ` patchwork-bot+netdevbpf
2020-12-18 12:04 ` [PATCH net 2/4] netfilter: x_tables: Update remaining dereference to RCU Pablo Neira Ayuso
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-18 12:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Colin Ian King <colin.king@canonical.com>
The intention of the err_expr cleanup path is to iterate over the
allocated expr_array objects and free them, starting from i - 1 and
working down to the start of the array. Currently the loop counter
is being incremented instead of decremented and also the index i is
being used instead of k, repeatedly destroying the same expr_array
element. Fix this by decrementing k and using k as the index into
expr_array.
Addresses-Coverity: ("Infinite loop")
Fixes: 8cfd9b0f8515 ("netfilter: nftables: generalize set expressions support")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8d5aa0ac45f4..4186b1e52d58 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5254,8 +5254,8 @@ static int nft_set_elem_expr_clone(const struct nft_ctx *ctx,
return 0;
err_expr:
- for (k = i - 1; k >= 0; k++)
- nft_expr_destroy(ctx, expr_array[i]);
+ for (k = i - 1; k >= 0; k--)
+ nft_expr_destroy(ctx, expr_array[k]);
return -ENOMEM;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH net 1/4] netfilter: nftables: fix incorrect increment of loop counter
2020-12-18 12:04 ` [PATCH net 1/4] netfilter: nftables: fix incorrect increment of loop counter Pablo Neira Ayuso
@ 2020-12-19 2:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2020-12-19 2:20 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Fri, 18 Dec 2020 13:04:06 +0100 you wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The intention of the err_expr cleanup path is to iterate over the
> allocated expr_array objects and free them, starting from i - 1 and
> working down to the start of the array. Currently the loop counter
> is being incremented instead of decremented and also the index i is
> being used instead of k, repeatedly destroying the same expr_array
> element. Fix this by decrementing k and using k as the index into
> expr_array.
>
> [...]
Here is the summary with links:
- [net,1/4] netfilter: nftables: fix incorrect increment of loop counter
https://git.kernel.org/netdev/net/c/161b838e25c6
- [net,2/4] netfilter: x_tables: Update remaining dereference to RCU
https://git.kernel.org/netdev/net/c/443d6e86f821
- [net,3/4] netfilter: ipset: fixes possible oops in mtype_resize
https://git.kernel.org/netdev/net/c/2b33d6ffa9e3
- [net,4/4] netfilter: ipset: fix shift-out-of-bounds in htable_bits()
https://git.kernel.org/netdev/net/c/5c8193f568ae
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net 2/4] netfilter: x_tables: Update remaining dereference to RCU
2020-12-18 12:04 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-12-18 12:04 ` [PATCH net 1/4] netfilter: nftables: fix incorrect increment of loop counter Pablo Neira Ayuso
@ 2020-12-18 12:04 ` Pablo Neira Ayuso
2020-12-18 12:04 ` [PATCH net 3/4] netfilter: ipset: fixes possible oops in mtype_resize Pablo Neira Ayuso
2020-12-18 12:04 ` [PATCH net 4/4] netfilter: ipset: fix shift-out-of-bounds in htable_bits() Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-18 12:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
This fixes the dereference to fetch the RCU pointer when holding
the appropriate xtables lock.
Reported-by: kernel test robot <lkp@intel.com>
Fixes: cc00bcaa5899 ("netfilter: x_tables: Switch synchronization to RCU")
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 563b62b76a5f..c576a63d09db 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1379,7 +1379,7 @@ static int compat_get_entries(struct net *net,
xt_compat_lock(NFPROTO_ARP);
t = xt_find_table_lock(net, NFPROTO_ARP, get.name);
if (!IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = xt_table_get_private_protected(t);
struct xt_table_info info;
ret = compat_table_info(private, &info);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6e2851f8d3a3..e8f6f9d86237 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1589,7 +1589,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
xt_compat_lock(AF_INET);
t = xt_find_table_lock(net, AF_INET, get.name);
if (!IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = xt_table_get_private_protected(t);
struct xt_table_info info;
ret = compat_table_info(private, &info);
if (!ret && get.size == info.size)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index c4f532f4d311..0d453fa9e327 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1598,7 +1598,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
xt_compat_lock(AF_INET6);
t = xt_find_table_lock(net, AF_INET6, get.name);
if (!IS_ERR(t)) {
- const struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = xt_table_get_private_protected(t);
struct xt_table_info info;
ret = compat_table_info(private, &info);
if (!ret && get.size == info.size)
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH net 3/4] netfilter: ipset: fixes possible oops in mtype_resize
2020-12-18 12:04 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2020-12-18 12:04 ` [PATCH net 1/4] netfilter: nftables: fix incorrect increment of loop counter Pablo Neira Ayuso
2020-12-18 12:04 ` [PATCH net 2/4] netfilter: x_tables: Update remaining dereference to RCU Pablo Neira Ayuso
@ 2020-12-18 12:04 ` Pablo Neira Ayuso
2020-12-18 12:04 ` [PATCH net 4/4] netfilter: ipset: fix shift-out-of-bounds in htable_bits() Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-18 12:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Vasily Averin <vvs@virtuozzo.com>
currently mtype_resize() can cause oops
t = ip_set_alloc(htable_size(htable_bits));
if (!t) {
ret = -ENOMEM;
goto out;
}
t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));
Increased htable_bits can force htable_size() to return 0.
In own turn ip_set_alloc(0) returns not 0 but ZERO_SIZE_PTR,
so follwoing access to t->hregion should trigger an OOPS.
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_gen.h | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 5f1208ad049e..1e7dddf824ae 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -640,7 +640,7 @@ mtype_resize(struct ip_set *set, bool retried)
struct htype *h = set->data;
struct htable *t, *orig;
u8 htable_bits;
- size_t dsize = set->dsize;
+ size_t hsize, dsize = set->dsize;
#ifdef IP_SET_HASH_WITH_NETS
u8 flags;
struct mtype_elem *tmp;
@@ -664,14 +664,12 @@ mtype_resize(struct ip_set *set, bool retried)
retry:
ret = 0;
htable_bits++;
- if (!htable_bits) {
- /* In case we have plenty of memory :-) */
- pr_warn("Cannot increase the hashsize of set %s further\n",
- set->name);
- ret = -IPSET_ERR_HASH_FULL;
- goto out;
- }
- t = ip_set_alloc(htable_size(htable_bits));
+ if (!htable_bits)
+ goto hbwarn;
+ hsize = htable_size(htable_bits);
+ if (!hsize)
+ goto hbwarn;
+ t = ip_set_alloc(hsize);
if (!t) {
ret = -ENOMEM;
goto out;
@@ -813,6 +811,12 @@ mtype_resize(struct ip_set *set, bool retried)
if (ret == -EAGAIN)
goto retry;
goto out;
+
+hbwarn:
+ /* In case we have plenty of memory :-) */
+ pr_warn("Cannot increase the hashsize of set %s further\n", set->name);
+ ret = -IPSET_ERR_HASH_FULL;
+ goto out;
}
/* Get the current number of elements and ext_size in the set */
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH net 4/4] netfilter: ipset: fix shift-out-of-bounds in htable_bits()
2020-12-18 12:04 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2020-12-18 12:04 ` [PATCH net 3/4] netfilter: ipset: fixes possible oops in mtype_resize Pablo Neira Ayuso
@ 2020-12-18 12:04 ` Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2020-12-18 12:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Vasily Averin <vvs@virtuozzo.com>
htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds
UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 8498 Comm: syz-executor519
Not tainted 5.10.0-rc7-next-20201208-syzkaller #0
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline]
hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524
ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115
nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
___sys_sendmsg+0xf3/0x170 net/socket.c:2399
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
This patch replaces htable_bits() by simple fls(hashsize - 1) call:
it alone returns valid nbits both for round and non-round hashsizes.
It is normal to set any nbits here because it is validated inside
following htable_size() call which returns 0 for nbits>31.
Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation")
Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_gen.h | 20 +++++---------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 1e7dddf824ae..6186358eac7c 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -141,20 +141,6 @@ htable_size(u8 hbits)
return hsize * sizeof(struct hbucket *) + sizeof(struct htable);
}
-/* Compute htable_bits from the user input parameter hashsize */
-static u8
-htable_bits(u32 hashsize)
-{
- /* Assume that hashsize == 2^htable_bits */
- u8 bits = fls(hashsize - 1);
-
- if (jhash_size(bits) != hashsize)
- /* Round up to the first 2^n value */
- bits = fls(hashsize);
-
- return bits;
-}
-
#ifdef IP_SET_HASH_WITH_NETS
#if IPSET_NET_COUNT > 1
#define __CIDR(cidr, i) (cidr[i])
@@ -1525,7 +1511,11 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
if (!h)
return -ENOMEM;
- hbits = htable_bits(hashsize);
+ /* Compute htable_bits from the user input parameter hashsize.
+ * Assume that hashsize == 2^htable_bits,
+ * otherwise round up to the first 2^n value.
+ */
+ hbits = fls(hashsize - 1);
hsize = htable_size(hbits);
if (hsize == 0) {
kfree(h);
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread