lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 02 Apr 2017 10:14:28 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Denys Fedoryshchenko <nuclearcat@...learcat.com> Cc: Florian Westphal <fw@...len.de>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Pablo Neira Ayuso <pablo@...filter.org>, Patrick McHardy <kaber@...sh.net>, Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>, netfilter-devel@...r.kernel.org, coreteam@...filter.org, linux-kernel@...r.kernel.org, netdev-owner@...r.kernel.org Subject: Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8 On Sun, 2017-04-02 at 19:52 +0300, Denys Fedoryshchenko wrote: > On 2017-04-02 15:32, Eric Dumazet wrote: > > On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote: > >> > */ > >> I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for > >> curiosity, if this condition are triggered. Is it fine like that? > > > > Sure. > > It didnt triggered WARN_ON, and with both patches here is one more > KASAN. > What i noticed also after this KASAN, there is many others start to > trigger in TCPMSS and locking up server by flood. > There is heavy netlink activity, it is pppoe server with lot of shapers. > I noticed there left sfq by mistake, usually i am removing it, because > it may trigger kernel panic too (and hard to trace reason). > I will try with pfifo instead, after 6 hours. > > Here is full log with others: https://nuclearcat.com/kasan.txt > Could that be that netfilter does not abort earlier if TCP header is completely wrong ? diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 27241a767f17b4b27d24095a31e5e9a2d3e29ce4..dd64bff38ba8074e6feb2e6e305eacb30ce4c2da 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); tcp_hdrlen = tcph->doff * 4; - if (len < tcp_hdrlen) + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) return -1; if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
Powered by blists - more mailing lists