netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.14.y] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()
@ 2018-07-05 16:31 Florian Westphal
  2018-07-05 16:49 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2018-07-05 16:31 UTC (permalink / raw)
  To: stable; +Cc: netfilter-devel, Taehee Yoo, Pablo Neira Ayuso, Florian Westphal

From: Taehee Yoo <ap420073@gmail.com>

commit 360cc79d9d299ce297b205508276285ceffc5fa8 upstream.

The table field in nft_obj_filter is not an array. In order to check
tablename, we should check if the pointer is set.

Test commands:

   %nft add table ip filter
   %nft add counter ip filter ct1
   %nft reset counters

Splat looks like:

[  306.510504] kasan: CONFIG_KASAN_INLINE enabled
[  306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables
[  306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17
[  306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
[  306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables]
[  306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246
[  306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000
[  306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a
[  306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b
[  306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108
[  306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860
[  306.528284] FS:  00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
[  306.528284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0
[  306.528284] Call Trace:
[  306.528284]  netlink_dump+0x470/0xa20
[  306.528284]  __netlink_dump_start+0x5ae/0x690
[  306.528284]  ? nf_tables_getobj+0x1b3/0x740 [nf_tables]
[  306.528284]  nf_tables_getobj+0x2f5/0x740 [nf_tables]
[  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
[  306.528284]  ? nf_tables_getobj+0x740/0x740 [nf_tables]
[  306.528284]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
[  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
[  306.528284]  nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink]
[  306.528284]  ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink]
[  306.528284]  netlink_rcv_skb+0x1c9/0x2f0
[  306.528284]  ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
[  306.528284]  ? debug_check_no_locks_freed+0x270/0x270
[  306.528284]  ? netlink_ack+0x7a0/0x7a0
[  306.528284]  ? ns_capable_common+0x6e/0x110
[ ... ]

Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 60936bca3181..85b549e84104 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4614,7 +4614,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
 				if (idx > s_idx)
 					memset(&cb->args[1], 0,
 					       sizeof(cb->args) - sizeof(cb->args[0]));
-				if (filter && filter->table[0] &&
+				if (filter && filter->table &&
 				    strcmp(filter->table, table->name))
 					goto cont;
 				if (filter &&
-- 
2.16.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH 4.14.y] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj()
  2018-07-05 16:31 [PATCH 4.14.y] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() Florian Westphal
@ 2018-07-05 16:49 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2018-07-05 16:49 UTC (permalink / raw)
  To: Florian Westphal; +Cc: stable, netfilter-devel, Taehee Yoo, Pablo Neira Ayuso

On Thu, Jul 05, 2018 at 06:31:07PM +0200, Florian Westphal wrote:
> From: Taehee Yoo <ap420073@gmail.com>
> 
> commit 360cc79d9d299ce297b205508276285ceffc5fa8 upstream.
> 
> The table field in nft_obj_filter is not an array. In order to check
> tablename, we should check if the pointer is set.
> 
> Test commands:
> 
>    %nft add table ip filter
>    %nft add counter ip filter ct1
>    %nft reset counters
> 
> Splat looks like:
> 
> [  306.510504] kasan: CONFIG_KASAN_INLINE enabled
> [  306.516184] kasan: GPF could be caused by NULL-ptr deref or user memory access
> [  306.524775] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
> [  306.528284] Modules linked in: nft_objref nft_counter nf_tables nfnetlink ip_tables x_tables
> [  306.528284] CPU: 0 PID: 1488 Comm: nft Not tainted 4.17.0-rc4+ #17
> [  306.528284] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
> [  306.528284] RIP: 0010:nf_tables_dump_obj+0x52c/0xa70 [nf_tables]
> [  306.528284] RSP: 0018:ffff8800b6cb7520 EFLAGS: 00010246
> [  306.528284] RAX: 0000000000000000 RBX: ffff8800b6c49820 RCX: 0000000000000000
> [  306.528284] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffed0016d96e9a
> [  306.528284] RBP: ffff8800b6cb75c0 R08: ffffed00236fce7c R09: ffffed00236fce7b
> [  306.528284] R10: ffffffff9f6241e8 R11: ffffed00236fce7c R12: ffff880111365108
> [  306.528284] R13: 0000000000000000 R14: ffff8800b6c49860 R15: ffff8800b6c49860
> [  306.528284] FS:  00007f838b007700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
> [  306.528284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  306.528284] CR2: 00007ffeafabcf78 CR3: 00000000b6cbe000 CR4: 00000000001006f0
> [  306.528284] Call Trace:
> [  306.528284]  netlink_dump+0x470/0xa20
> [  306.528284]  __netlink_dump_start+0x5ae/0x690
> [  306.528284]  ? nf_tables_getobj+0x1b3/0x740 [nf_tables]
> [  306.528284]  nf_tables_getobj+0x2f5/0x740 [nf_tables]
> [  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
> [  306.528284]  ? nf_tables_getobj+0x740/0x740 [nf_tables]
> [  306.528284]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
> [  306.528284]  ? nft_obj_notify+0x100/0x100 [nf_tables]
> [  306.528284]  nfnetlink_rcv_msg+0x8ff/0x932 [nfnetlink]
> [  306.528284]  ? nfnetlink_rcv_msg+0x216/0x932 [nfnetlink]
> [  306.528284]  netlink_rcv_skb+0x1c9/0x2f0
> [  306.528284]  ? nfnetlink_bind+0x1d0/0x1d0 [nfnetlink]
> [  306.528284]  ? debug_check_no_locks_freed+0x270/0x270
> [  306.528284]  ? netlink_ack+0x7a0/0x7a0
> [  306.528284]  ? ns_capable_common+0x6e/0x110
> [ ... ]
> 
> Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255 chars")
> Signed-off-by: Taehee Yoo <ap420073@gmail.com>
> Acked-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  net/netfilter/nf_tables_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

This worked, thanks!

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-05 16:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-05 16:31 [PATCH 4.14.y] netfilter: nf_tables: fix NULL-ptr in nf_tables_dump_obj() Florian Westphal
2018-07-05 16:49 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).