netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/2] Netfilter fixes for net
@ 2017-11-01 18:48 Pablo Neira Ayuso
  2017-11-01 18:48 ` [PATCH 1/2] netfilter: nft_set_hash: disable fast_ops for 2-len keys Pablo Neira Ayuso
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2017-11-01 18:48 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

Hi David,

The following patchset contains two one-liner fixes for your net tree,
they are:

1) Disable fast hash operations for 2-bytes length keys which is leading
   to incorrect lookups in nf_tables, from Anatole Denis.

2) Reload pointer ipv4 header after ip_route_me_harder() given this may
   result in use-after-free due to skbuff header reallocation, patch
   from Tejaswi Tanikella.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 28e33f9d78eefe98ea86673ab31e988b37a9a738:

  bpf: disallow arithmetic operations on context pointer (2017-10-18 13:21:13 +0100)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 7400bb4b5800831581a82f71700af6a5e815c3c8:

  netfilter: nf_reject_ipv4: Fix use-after-free in send_reset (2017-11-01 12:15:29 +0100)

----------------------------------------------------------------
Anatole Denis (1):
      netfilter: nft_set_hash: disable fast_ops for 2-len keys

Tejaswi Tanikella (1):
      netfilter: nf_reject_ipv4: Fix use-after-free in send_reset

 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 net/netfilter/nft_set_hash.c        | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/2] netfilter: nft_set_hash: disable fast_ops for 2-len keys
  2017-11-01 18:48 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2017-11-01 18:48 ` Pablo Neira Ayuso
  2017-11-01 18:48 ` [PATCH 2/2] netfilter: nf_reject_ipv4: Fix use-after-free in send_reset Pablo Neira Ayuso
  2017-11-02  7:53 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2017-11-01 18:48 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Anatole Denis <anatole@rezel.net>

jhash_1word of a u16 is a different value from jhash of the same u16 with
length 2.
Since elements are always inserted in sets using jhash over the actual
klen, this would lead to incorrect lookups on fixed-size sets with a key
length of 2, as they would be inserted with hash value jhash(key, 2) and
looked up with hash value jhash_1word(key), which is different.

Example reproducer(v4.13+), using anonymous sets which always have a
fixed size:

  table inet t {
      chain c {
                  type filter hook output priority 0; policy accept;
                  tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
                  tcp dport 10001 counter packets 4 bytes 240 reject
                  tcp dport 10003 counter packets 4 bytes 240 reject
                  tcp dport 10005 counter packets 4 bytes 240 reject
                  tcp dport 10007 counter packets 0 bytes 0 reject
                  tcp dport 10009 counter packets 4 bytes 240 reject
          }
  }

then use nc -z localhost <port> to probe; incorrectly hashed ports will
pass through the set lookup and increment the counter of an individual
rule.

jhash being seeded with a random value, it is not deterministic which
ports will incorrectly hash, but in testing with 5 ports in the set I
always had 4 or 5 with an incorrect hash value.

Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_set_hash.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 0fa01d772c5e..9c0d5a7ce5f9 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -643,7 +643,6 @@ nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc,
 {
 	if (desc->size) {
 		switch (desc->klen) {
-		case 2:
 		case 4:
 			return &nft_hash_fast_ops;
 		default:
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] netfilter: nf_reject_ipv4: Fix use-after-free in send_reset
  2017-11-01 18:48 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2017-11-01 18:48 ` [PATCH 1/2] netfilter: nft_set_hash: disable fast_ops for 2-len keys Pablo Neira Ayuso
@ 2017-11-01 18:48 ` Pablo Neira Ayuso
  2017-11-02  7:53 ` [PATCH 0/2] Netfilter fixes for net David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2017-11-01 18:48 UTC (permalink / raw)
  To: netfilter-devel; +Cc: davem, netdev

From: Tejaswi Tanikella <tejaswit@codeaurora.org>

niph is not updated after pskb_expand_head changes the skb head. It
still points to the freed data, which is then used to update tot_len and
checksum. This could cause use-after-free poison crash.

Update niph, if ip_route_me_harder does not fail.

This only affects the interaction with REJECT targets and br_netfilter.

Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index eeacbdaf7cdf..5cd06ba3535d 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -132,6 +132,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
 		goto free_nskb;
 
+	niph = ip_hdr(nskb);
+
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] Netfilter fixes for net
  2017-11-01 18:48 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
  2017-11-01 18:48 ` [PATCH 1/2] netfilter: nft_set_hash: disable fast_ops for 2-len keys Pablo Neira Ayuso
  2017-11-01 18:48 ` [PATCH 2/2] netfilter: nf_reject_ipv4: Fix use-after-free in send_reset Pablo Neira Ayuso
@ 2017-11-02  7:53 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2017-11-02  7:53 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed,  1 Nov 2017 19:48:10 +0100

> The following patchset contains two one-liner fixes for your net tree,
> they are:
> 
> 1) Disable fast hash operations for 2-bytes length keys which is leading
>    to incorrect lookups in nf_tables, from Anatole Denis.
> 
> 2) Reload pointer ipv4 header after ip_route_me_harder() given this may
>    result in use-after-free due to skbuff header reallocation, patch
>    from Tejaswi Tanikella.
> 
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks a lot Pablo.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-11-02  7:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-01 18:48 [PATCH 0/2] Netfilter fixes for net Pablo Neira Ayuso
2017-11-01 18:48 ` [PATCH 1/2] netfilter: nft_set_hash: disable fast_ops for 2-len keys Pablo Neira Ayuso
2017-11-01 18:48 ` [PATCH 2/2] netfilter: nf_reject_ipv4: Fix use-after-free in send_reset Pablo Neira Ayuso
2017-11-02  7:53 ` [PATCH 0/2] Netfilter fixes for net David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).