lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 21 Jun 2020 22:24:53 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Jozsef Kadlecsik <kadlec@...filter.org>
Cc:     Russell King - ARM Linux admin <linux@...linux.org.uk>,
        coreteam@...filter.org, netfilter-devel@...r.kernel.org,
        Florian Westphal <fw@...len.de>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org
Subject: Re: [PATCH] netfiler: ipset: fix unaligned atomic access

Hi Jozsef,

I'll place in this in nf.git unless you have any objection.

Thanks.

On Sun, Jun 21, 2020 at 08:45:14PM +0100, Russell King - ARM Linux admin wrote:
> Gentle ping...
> 
> This patch fixes a remotely triggerable kernel oops, and as such can
> be viewed as a remote denial of service attack depending on the
> netfilter rule setup.
> 
> On Wed, Jun 10, 2020 at 09:51:11PM +0100, Russell King wrote:
> > When using ip_set with counters and comment, traffic causes the kernel
> > to panic on 32-bit ARM:
> > 
> > Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
> > Unhandled fault: alignment exception (0x221) at 0xea08133c
> > PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
> > 
> > The problem occurs when we try to update the 64-bit counters - the
> > faulting address above is not 64-bit aligned.  The problem occurs
> > due to the way elements are allocated, for example:
> > 
> > 	set->dsize = ip_set_elem_len(set, tb, 0, 0);
> > 	map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
> > 
> > If the element has a requirement for a member to be 64-bit aligned,
> > and set->dsize is not a multiple of 8, but is a multiple of four,
> > then every odd numbered elements will be misaligned - and hitting
> > an atomic64_add() on that element will cause the kernel to panic.
> > 
> > ip_set_elem_len() must return a size that is rounded to the maximum
> > alignment of any extension field stored in the element.  This change
> > ensures that is the case.
> > 
> > Signed-off-by: Russell King <rmk+kernel@...linux.org.uk>
> > ---
> > Patch against v5.6, where I tripped over this bug.  This bug has
> > caused a kernel panic on my new router twice today.
> > 
> >  net/netfilter/ipset/ip_set_core.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> > index 8dd17589217d..be9cd6a500fb 100644
> > --- a/net/netfilter/ipset/ip_set_core.c
> > +++ b/net/netfilter/ipset/ip_set_core.c
> > @@ -459,6 +459,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
> >  	for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
> >  		if (!add_extension(id, cadt_flags, tb))
> >  			continue;
> > +		if (align < ip_set_extensions[id].align)
> > +			align = ip_set_extensions[id].align;
> >  		len = ALIGN(len, ip_set_extensions[id].align);
> >  		set->offset[id] = len;
> >  		set->extensions |= ip_set_extensions[id].type;
> > -- 
> > 2.20.1
> > 
> > 
> 
> -- 
> RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ