lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 28 Mar 2014 00:06:20 +0400
From:	Andrey Vagin <avagin@...nvz.org>
To:	linux-kernel@...r.kernel.org
Cc:	netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org,
	coreteam@...filter.org, netdev@...r.kernel.org, vvs@...allels.com,
	Andrey Vagin <avagin@...nvz.org>,
	Pablo Neira Ayuso <pablo@...filter.org>,
	Patrick McHardy <kaber@...sh.net>,
	Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
	"David S. Miller" <davem@...emloft.net>
Subject: [PATCH] netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (v2)

"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
case it can contain all extensions. Bellow you can find sizes for all
types of extensions. Their sum is definitely bigger than 256.

nf_ct_ext_types[0]->len = 24
nf_ct_ext_types[1]->len = 32
nf_ct_ext_types[2]->len = 24
nf_ct_ext_types[3]->len = 32
nf_ct_ext_types[4]->len = 152
nf_ct_ext_types[5]->len = 2
nf_ct_ext_types[6]->len = 16
nf_ct_ext_types[7]->len = 8

I have seen "len" up to 280 and my host has crashes w/o this patch.

The right way to fix this problem is reducing the size of the ecache
extension (4) and Florian is going to do this, but these changes will
be quite large to be appropriate for a stable tree.

v2: rearrange the extension so ECACHE comes last. This is required to
prevent overflow of nf_ct_ext->offset.

Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
Cc: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Patrick McHardy <kaber@...sh.net>
Cc: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
Cc: "David S. Miller" <davem@...emloft.net>
Signed-off-by: Andrey Vagin <avagin@...nvz.org>
---
 include/net/netfilter/nf_conntrack_extend.h | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 956b175..9d41750 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -12,9 +12,6 @@ enum nf_ct_ext_id {
 #endif
 	NF_CT_EXT_SEQADJ,
 	NF_CT_EXT_ACCT,
-#ifdef CONFIG_NF_CONNTRACK_EVENTS
-	NF_CT_EXT_ECACHE,
-#endif
 #ifdef CONFIG_NF_CONNTRACK_ZONES
 	NF_CT_EXT_ZONE,
 #endif
@@ -30,6 +27,15 @@ enum nf_ct_ext_id {
 #if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
 	NF_CT_EXT_SYNPROXY,
 #endif
+
+/*
+ * The size of the nf_conntrack_ecache struct is about 150 bytes, so
+ * NF_CT_EXT_ECACHE must be the last one to prevent overflow of
+ * nf_ct_ext->offset[id]
+ */
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+	NF_CT_EXT_ECACHE,
+#endif
 	NF_CT_EXT_NUM,
 };
 
@@ -48,7 +54,7 @@ enum nf_ct_ext_id {
 struct nf_ct_ext {
 	struct rcu_head rcu;
 	u8 offset[NF_CT_EXT_NUM];
-	u8 len;
+	u16 len;
 	char data[0];
 };
 
-- 
1.8.5.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ