| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Aug 2020 16:28:25 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: John Stultz <john.stultz@...aro.org>,
David Miller <davem@...emloft.net>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
netdev <netdev@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Todd Kjos <tkjos@...gle.com>,
Amit Pundir <amit.pundir@...aro.org>
Subject: Re: [GIT] Networking
On 8/6/20 4:17 PM, Eric Dumazet wrote:
>
>
> On 8/6/20 2:39 PM, John Stultz wrote:
>> On Wed, Aug 5, 2020 at 6:57 PM David Miller <davem@...emloft.net> wrote:
>>> There is a minor conflict in net/ipv6/ip6_flowlabel.c, it's because of
>>> the commit that did the tree-wide removal of uninitialized_var(). The
>>> resolution is simple, kill all of the conflict markers and content
>>> within, and remove the uninitialized_var() marker that got moved
>>> elsewhere in the file in the net-next tree.
>>>
>>> Otherwise, we have:
>>>
>>> 1) Support 6Ghz band in ath11k driver, from Rajkumar Manoharan.
>>>
>>> 2) Support UDP segmentation in code TSO code, from Eric Dumazet.
>>>
>>> 3) Allow flashing different flash images in cxgb4 driver, from Vishal
>>> Kulkarni.
>>>
>>> 4) Add drop frames counter and flow status to tc flower offloading,
>>> from Po Liu.
>>>
>>> 5) Support n-tuple filters in cxgb4, from Vishal Kulkarni.
>>>
>>> 6) Various new indirect call avoidance, from Eric Dumazet and Brian
>>> Vazquez.
>>>
>>> 7) Fix BPF verifier failures on 32-bit pointer arithmetic, from
>>> Yonghong Song.
>>>
>>> 8) Support querying and setting hardware address of a port function
>>> via devlink, use this in mlx5, from Parav Pandit.
>>>
>>> 9) Support hw ipsec offload on bonding slaves, from Jarod Wilson.
>>>
>>> 10) Switch qca8k driver over to phylink, from Jonathan McDowell.
>>>
>>> 11) In bpftool, show list of processes holding BPF FD references to
>>> maps, programs, links, and btf objects. From Andrii Nakryiko.
>>>
>>> 12) Several conversions over to generic power management, from Vaibhav
>>> Gupta.
>>>
>>> 13) Add support for SO_KEEPALIVE et al. to bpf_setsockopt(), from
>>> Dmitry Yakunin.
>>>
>>> 14) Various https url conversions, from Alexander A. Klimov.
>>>
>>> 15) Timestamping and PHC support for mscc PHY driver, from Antoine
>>> Tenart.
>>>
>>> 16) Support bpf iterating over tcp and udp sockets, from Yonghong
>>> Song.
>>>
>>> 17) Support 5GBASE-T i40e NICs, from Aleksandr Loktionov.
>>>
>>> 18) Add kTLS RX HW offload support to mlx5e, from Tariq Toukan.
>>>
>>> 19) Fix the ->ndo_start_xmit() return type to be netdev_tx_t in several
>>> drivers. From Luc Van Oostenryck.
>>>
>>> 20) XDP support for xen-netfront, from Denis Kirjanov.
>>>
>>> 21) Support receive buffer autotuning in MPTCP, from Florian Westphal.
>>>
>>> 22) Support EF100 chip in sfc driver, from Edward Cree.
>>>
>>> 23) Add XDP support to mvpp2 driver, from Matteo Croce.
>>>
>>> 24) Support MPTCP in sock_diag, from Paolo Abeni.
>>>
>>> 25) Commonize UDP tunnel offloading code by creating udp_tunnel_nic
>>> infrastructure, from Jakub Kicinski.
>>>
>>> 26) Several pci_ --> dma_ API conversions, from Christophe JAILLET.
>>>
>>> 27) Add FLOW_ACTION_POLICE support to mlxsw, from Ido Schimmel.
>>>
>>> 28) Add SK_LOOKUP bpf program type, from Jakub Sitnicki.
>>>
>>> 29) Refactor a lot of networking socket option handling code in
>>> order to avoid set_fs() calls, from Christoph Hellwig.
>>>
>>> 30) Add rfc4884 support to icmp code, from Willem de Bruijn.
>>>
>>> 31) Support TBF offload in dpaa2-eth driver, from Ioana Ciornei.
>>>
>>> 32) Support XDP_REDIRECT in qede driver, from Alexander Lobakin.
>>>
>>> 33) Support PCI relaxed ordering in mlx5 driver, from Aya Levin.
>>>
>>> 34) Support TCP syncookies in MPTCP, from Flowian Westphal.
>>>
>>> 35) Fix several tricky cases of PMTU handling wrt. briding, from
>>> Stefano Brivio.
>>>
>>> Please pull, thanks a lot!
>>>
>>> The following changes since commit ac3a0c8472969a03c0496ae774b3a29eb26c8d5a:
>>>
>>> Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2020-08-01 16:47:24 -0700)
>>>
>>> are available in the Git repository at:
>>>
>>> git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git
>>
>> Hey David, All,
>> Just as a heads up, after net-next was merged into Linus' tree, I
>> started hitting the following crash on boot on the Dragonboard 845c
>> booting AOSP.
>>
>> I've bisected it down to the net-next merge, but haven't bisected it
>> further yet, as I still have a handful of (unrelated to networking)
>> out of tree patches needed to boot the board.
>>
>> [ 19.709492] Unable to handle kernel access to user memory outside
>> uaccess routines at virtual address 0000006f53337070
>> [ 19.726539] Mem abort info:
>> [ 19.726544] ESR = 0x9600000f
>> [ 19.741323] EC = 0x25: DABT (current EL), IL = 32 bits
>> [ 19.741326] SET = 0, FnV = 0
>> [ 19.761185] EA = 0, S1PTW = 0
>> [ 19.761188] Data abort info:
>> [ 19.761190] ISV = 0, ISS = 0x0000000f
>> [ 19.761192] CM = 0, WnR = 0
>> [ 19.761199] user pgtable: 4k pages, 39-bit VAs, pgdp=000000016e9e9000
>> [ 19.777584] [0000006f53337070] pgd=000000016e99e003,
>> p4d=000000016e99e003, pud=000000016e99e003, pmd=000000016e99a003,
>> pte=00e800016d3c7f53
>> [ 19.789205] Internal error: Oops: 9600000f [#1] PREEMPT SMP
>> [ 19.789211] Modules linked in:
>> [ 19.797153] CPU: 7 PID: 364 Comm: iptables-restor Tainted: G
>> W 5.8.0-mainline-08255-gf9e74a8eb6f3 #3350
>> [ 19.797156] Hardware name: Thundercomm Dragonboard 845c (DT)
>> [ 19.797161] pstate: a0400005 (NzCv daif +PAN -UAO BTYPE=--)
>> [ 19.797177] pc : do_ipt_set_ctl+0x304/0x610
>> [ 19.807891] lr : do_ipt_set_ctl+0x50/0x610
>> [ 19.807894] sp : ffffffc0139bbba0
>> [ 19.807898] x29: ffffffc0139bbba0 x28: ffffff80f07a3800
>> [ 19.846468] x27: 0000000000000000 x26: 0000000000000000
>> [ 19.846472] x25: 0000000000000000 x24: 0000000000000698
>> [ 19.846476] x23: ffffffec8eb0cc80 x22: 0000000000000040
>> [ 19.846480] x21: b400006f53337070 x20: ffffffec8eb0c000
>> [ 19.846484] x19: ffffffec8e9e9000 x18: 0000000000000000
>> [ 19.846487] x17: 0000000000000000 x16: 0000000000000000
>> [ 19.846491] x15: 0000000000000000 x14: 0000000000000000
>> [ 19.846495] x13: 0000000000000000 x12: 0000000000000000
>> [ 19.846501] x11: 0000000000000000 x10: 0000000000000000
>> [ 19.856005] x9 : 0000000000000000 x8 : 0000000000000000
>> [ 19.856008] x7 : ffffffec8e9e9d08 x6 : 0000000000000000
>> [ 19.856012] x5 : 0000000000000000 x4 : 0000000000000213
>> [ 19.856015] x3 : 00000001ffdeffef x2 : 11ded3fb0bb85e00
>> [ 19.856019] x1 : 0000000000000027 x0 : 0000008000000000
>> [ 19.856024] Call trace:
>> [ 19.866319] do_ipt_set_ctl+0x304/0x610
>> [ 19.866327] nf_setsockopt+0x64/0xa8
>> [ 19.866332] ip_setsockopt+0x21c/0x1710
>> [ 19.866338] raw_setsockopt+0x50/0x1b8
>> [ 19.866347] sock_common_setsockopt+0x50/0x68
>> [ 19.882672] __sys_setsockopt+0x120/0x1c8
>> [ 19.882677] __arm64_sys_setsockopt+0x30/0x40
>> [ 19.882686] el0_svc_common.constprop.3+0x78/0x188
>> [ 19.882691] do_el0_svc+0x80/0xa0
>> [ 19.882699] el0_sync_handler+0x134/0x1a0
>> [ 19.901555] el0_sync+0x140/0x180
>> [ 19.901564] Code: aa1503e0 97fffd3e 2a0003f5 17ffff80 (a9401ea6)
>> [ 19.901569] ---[ end trace 22010e9688ae248f ]---
>> [ 19.913033] Kernel panic - not syncing: Fatal exception
>> [ 19.913042] SMP: stopping secondary CPUs
>> [ 20.138885] Kernel Offset: 0x2c7d080000 from 0xffffffc010000000
>> [ 20.138887] PHYS_OFFSET: 0xfffffffa80000000
>> [ 20.138894] CPU features: 0x0040002,2a80a218
>> [ 20.138898] Memory Limit: none
>>
>> I'll continue to work on bisecting this down further, but figured I'd
>> share now as you or someone else might be able to tell whats wrong
>> from the trace.
>>
>
> Can you try at commit c2f12630c60ff33a9cafd221646053fc10ec59b6 ("netfilter: switch nf_setsockopt to sockptr_t")
> (and right before it)
>
> do_replace(.... unsigned int len) ignore @len parameter.
>
> This means that the access_ok() in init_user_sockptr() might have received a too small @size
>
> Presumably on old kernels your command was silently failing.
Could you try : (patch might be mangled)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f15bc21d730164baf6cd2e8bf982c851685ee3c5..ead2122f5edc5aceae91ff8ee08f4e30e1513def 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1110,6 +1110,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
void *loc_cpu_entry;
struct ipt_entry *iter;
+ if (len < sizeof(tmp))
+ return -EINVAL;
if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1119,6 +1121,9 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
if (tmp.num_counters == 0)
return -EINVAL;
+ if (len < sizeof(tmp) + tmp.size)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1492,6 +1497,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
void *loc_cpu_entry;
struct ipt_entry *iter;
+ if (len < sizeof(tmp))
+ return -EINVAL;
if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
return -EFAULT;
@@ -1501,6 +1508,9 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
if (tmp.num_counters == 0)
return -EINVAL;
+ if (len < sizeof(tmp) + tmp.size)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
Powered by blists - more mailing lists