netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: William Mcvicker <willmcvicker@google.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: security@kernel.org, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	Florian Westphal <fw@strlen.de>,
	"David S. Miller" <davem@davemloft.net>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-team@android.com, stable@vger.kernel.org
Subject: Re: [PATCH v2 1/1] netfilter: nat: add a range check for l3/l4 protonum
Date: Mon, 3 Aug 2020 18:31:56 +0000	[thread overview]
Message-ID: <20200803183156.GA3084830@google.com> (raw)
In-Reply-To: <20200731181633.GA1209076@google.com>

[-- Attachment #1: Type: text/plain, Size: 1799 bytes --]

Hi,

I have attached the follow up fix that checks for the proto index during
conntrack creation.

Thanks,
Will

On 07/31/2020, William Mcvicker wrote:
> Hi Pablo,
> 
> > Note that this code does not exist in the tree anymore. I'm not sure
> > if this problem still exists upstream, this patch does not apply to
> > nf.git. This fix should only go for -stable maintainers.
> 
> Right, the vulnerability has been fixed by the refactor commit fe2d0020994cd
> ("netfilter: nat: remove l4proto->in_range"), but this patch is a part of
> a full re-work of the code and doesn't backport very cleanly to the LTS
> branches. So this fix is only applicable to the 4.19, 4.14, 4.9, and 4.4 LTS
> branches. I missed the -stable email, but will re-add it to this thread with
> the re-worked patch.
> 
> Thanks,
> Will
> 
> On 07/31/2020, Pablo Neira Ayuso wrote:
> > Hi William,
> > 
> > On Fri, Jul 31, 2020 at 12:26:11AM +0000, William Mcvicker wrote:
> > > Hi Pablo,
> > > 
> > > Yes, I believe this oops is only triggered by userspace when the user
> > > specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work
> > > the patch to check for this in ctnetlink_create_conntrack().
> > 
> > Great.
> > 
> > Note that this code does not exist in the tree anymore. I'm not sure
> > if this problem still exists upstream, this patch does not apply to
> > nf.git. This fix should only go for -stable maintainers.
> > 
> > > > BTW, do you have a Fixes: tag for this? This will be useful for
> > > > -stable maintainer to pick up this fix.
> > > 
> > > Regarding the Fixes: tag, I don't have one offhand since this bug was reported
> > > to me, but I can search through the code history to find the commit that
> > > exposed this vulnerability.
> > 
> > That would be great.
> > 
> > Thank you.

[-- Attachment #2: 0001-netfilter-nat-add-a-range-check-for-l3-l4-protonum.patch --]
[-- Type: text/x-diff, Size: 2041 bytes --]

From 2a9d621fa5c225e6aece6b4622a9a816c6fcfa0d Mon Sep 17 00:00:00 2001
From: Will McVicker <willmcvicker@google.com>
Date: Fri, 31 Jul 2020 13:10:43 -0700
Subject: [PATCH] netfilter: nat: add a range check for l3/l4 protonum

The indexes to the nf_nat_l[34]protos arrays come from userspace. So
check the tuple's family, e.g. l3num, when creating the conntrack in
order to prevent an OOB memory access during setup.  Here is an example
kernel panic on 4.14.180 when userspace passes in an index greater than
NFPROTO_NUMPROTO.

Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:...
Process poc (pid: 5614, stack limit = 0x00000000a3933121)
CPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483
Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
task: 000000002a3dfffe task.stack: 00000000a3933121
pc : __cfi_check_fail+0x1c/0x24
lr : __cfi_check_fail+0x1c/0x24
...
Call trace:
__cfi_check_fail+0x1c/0x24
name_to_dev_t+0x0/0x468
nfnetlink_parse_nat_setup+0x234/0x258
ctnetlink_parse_nat_setup+0x4c/0x228
ctnetlink_new_conntrack+0x590/0xc40
nfnetlink_rcv_msg+0x31c/0x4d4
netlink_rcv_skb+0x100/0x184
nfnetlink_rcv+0xf4/0x180
netlink_unicast+0x360/0x770
netlink_sendmsg+0x5a0/0x6a4
___sys_sendmsg+0x314/0x46c
SyS_sendmsg+0xb4/0x108
el0_svc_naked+0x34/0x38

Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
Signed-off-by: Will McVicker <willmcvicker@google.com>
---
 net/netfilter/nf_conntrack_netlink.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 31fa94064a62..56d310f8b29a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[],
 	if (!tb[CTA_TUPLE_IP])
 		return -EINVAL;
 
+	if (l3num >= NFPROTO_NUMPROTO)
+		return -EINVAL;
 	tuple->src.l3num = l3num;
 
 	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
-- 
2.28.0.163.g6104cc2f0b6-goog


  reply	other threads:[~2020-08-03 18:32 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-27 17:57 [PATCH 0/1] Netfilter OOB memory access security patch Will McVicker
2020-07-27 17:57 ` [PATCH 1/1] netfilter: nat: add range checks for access to nf_nat_l[34]protos[] Will McVicker
2020-07-29 21:46   ` Pablo Neira Ayuso
2020-07-31  0:26     ` William Mcvicker
2020-07-31 17:51       ` Pablo Neira Ayuso
2020-07-31 18:16         ` William Mcvicker
2020-08-03 18:31           ` William Mcvicker [this message]
2020-08-04 11:37             ` [PATCH v2 1/1] netfilter: nat: add a range check for l3/l4 protonum Pablo Neira Ayuso
2020-08-24 19:38               ` [PATCH v3 0/1] " Will McVicker
2020-08-24 19:38                 ` [PATCH v3 1/1] " Will McVicker
2020-08-28 16:42                   ` Pablo Neira Ayuso
2020-08-28 16:45                     ` Florian Westphal
2020-08-28 17:11                       ` Pablo Neira Ayuso
2020-09-01 15:36               ` [PATCH v2 " Will Deacon
2020-09-01 17:29                 ` William Mcvicker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200803183156.GA3084830@google.com \
    --to=willmcvicker@google.com \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=kernel-team@android.com \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=security@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).