netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Will McVicker <willmcvicker@google.com>
Cc: stable@vger.kernel.org,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	Florian Westphal <fw@strlen.de>,
	"David S. Miller" <davem@davemloft.net>,
	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-team@android.com
Subject: Re: [PATCH v3 1/1] netfilter: nat: add a range check for l3/l4 protonum
Date: Fri, 28 Aug 2020 18:42:34 +0200	[thread overview]
Message-ID: <20200828164234.GA30990@salvia> (raw)
In-Reply-To: <20200824193832.853621-2-willmcvicker@google.com>

Hi Will,

Given this is for -stable maintainers only, I'd suggest:

1) Specify what -stable kernel versions this patch applies to.
   Explain that this problem is gone since what kernel version.

2) Maybe clarify that this is only for stable in the patch subject,
   e.g. [PATCH -stable v3] netfilter: nat: add a range check for l3/l4

Otherwise, this -stable maintainers might not identify this patch as
something that is targetted to them.

Thanks.

On Mon, Aug 24, 2020 at 07:38:32PM +0000, Will McVicker wrote:
> The indexes to the nf_nat_l[34]protos arrays come from userspace. So
> check the tuple's family, e.g. l3num, when creating the conntrack in
> order to prevent an OOB memory access during setup.  Here is an example
> kernel panic on 4.14.180 when userspace passes in an index greater than
> NFPROTO_NUMPROTO.
> 
> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
> Modules linked in:...
> Process poc (pid: 5614, stack limit = 0x00000000a3933121)
> CPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483
> Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
> task: 000000002a3dfffe task.stack: 00000000a3933121
> pc : __cfi_check_fail+0x1c/0x24
> lr : __cfi_check_fail+0x1c/0x24
> ...
> Call trace:
> __cfi_check_fail+0x1c/0x24
> name_to_dev_t+0x0/0x468
> nfnetlink_parse_nat_setup+0x234/0x258
> ctnetlink_parse_nat_setup+0x4c/0x228
> ctnetlink_new_conntrack+0x590/0xc40
> nfnetlink_rcv_msg+0x31c/0x4d4
> netlink_rcv_skb+0x100/0x184
> nfnetlink_rcv+0xf4/0x180
> netlink_unicast+0x360/0x770
> netlink_sendmsg+0x5a0/0x6a4
> ___sys_sendmsg+0x314/0x46c
> SyS_sendmsg+0xb4/0x108
> el0_svc_naked+0x34/0x38
> 
> Fixes: c1d10adb4a521 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
> Signed-off-by: Will McVicker <willmcvicker@google.com>
> ---
>  net/netfilter/nf_conntrack_netlink.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 31fa94064a62..0b89609a6e9d 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[],
>  	if (!tb[CTA_TUPLE_IP])
>  		return -EINVAL;
>  
> +	if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
> +		return -EOPNOTSUPP;
>  	tuple->src.l3num = l3num;
>  
>  	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
> -- 
> 2.28.0.297.g1956fa8f8d-goog
> 

  reply	other threads:[~2020-08-28 16:42 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-27 17:57 [PATCH 0/1] Netfilter OOB memory access security patch Will McVicker
2020-07-27 17:57 ` [PATCH 1/1] netfilter: nat: add range checks for access to nf_nat_l[34]protos[] Will McVicker
2020-07-29 21:46   ` Pablo Neira Ayuso
2020-07-31  0:26     ` William Mcvicker
2020-07-31 17:51       ` Pablo Neira Ayuso
2020-07-31 18:16         ` William Mcvicker
2020-08-03 18:31           ` [PATCH v2 1/1] netfilter: nat: add a range check for l3/l4 protonum William Mcvicker
2020-08-04 11:37             ` Pablo Neira Ayuso
2020-08-24 19:38               ` [PATCH v3 0/1] " Will McVicker
2020-08-24 19:38                 ` [PATCH v3 1/1] " Will McVicker
2020-08-28 16:42                   ` Pablo Neira Ayuso [this message]
2020-08-28 16:45                     ` Florian Westphal
2020-08-28 17:11                       ` Pablo Neira Ayuso
2020-09-01 15:36               ` [PATCH v2 " Will Deacon
2020-09-01 17:29                 ` William Mcvicker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200828164234.GA30990@salvia \
    --to=pablo@netfilter.org \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=kernel-team@android.com \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=willmcvicker@google.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).