| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 May 2021 12:57:45 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Florian Westphal <fw@...len.de>,
syzbot <syzbot+154bd5be532a63aa778b@...kaller.appspotmail.com>,
coreteam@...filter.org, David Miller <davem@...emloft.net>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Jakub Kicinski <kuba@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
netdev <netdev@...r.kernel.org>,
NetFilter <netfilter-devel@...r.kernel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: [syzbot] WARNING in __nf_unregister_net_hook (4)
On Thu, May 13, 2021 at 09:08:20AM +0200, Dmitry Vyukov wrote:
> On Thu, May 13, 2021 at 2:56 AM Pablo Neira Ayuso <pablo@...filter.org> wrote:
> >
> > On Sat, May 08, 2021 at 04:46:57PM +0200, Florian Westphal wrote:
> > > Dmitry Vyukov <dvyukov@...gle.com> wrote:
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+154bd5be532a63aa778b@...kaller.appspotmail.com
> > > >
> > > > Is this also fixed by "netfilter: arptables: use pernet ops struct
> > > > during unregister"?
> > > > The warning is the same, but the stack is different...
> > >
> > > No, this is a different bug.
> > >
> > > In both cases the caller attempts to unregister a hook that the core
> > > can't find, but in this case the caller is nftables, not arptables.
> >
> > I see no reproducer for this bug. Maybe I broke the dormant flag handling?
> >
> > Or maybe syzbot got here after the arptables bug has been hitted?
>
> syzbot always stops after the first bug to give you perfect "Not
> tainted" oopses.
Looking at the log file:
https://syzkaller.appspot.com/text?tag=CrashLog&x=110a3096d00000
This is mixing calls to nftables:
14:43:16 executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)={{0x9}, [@NFT_MSG_NEWTABLE={0x28, 0x0, 0xa, 0x3, 0x0, 0x0, {0x2}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}, @NFTA_TABLE_FLAGS={0x8}]}], {0x14}}, 0x50}}, 0x0)
with arptables:
14:43:16 executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000000)={'filter\x00', 0x4, 0x4, 0x3f8, 0x310, 0x200, 0x200, 0x310, 0x310, 0x310, 0x4, 0x0, {[{{@...={@...adcast, @rand_addr, 0x87010000, 0x0, 0x0, 0x0, {@...=@...k_local}, {@...}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'bridge0\x00', 'erspan0\x00'}, 0xc0, 0x100}, @unspec=@...EEST={0x40, 'RATEEST\x00', 0x0, {'syz1\x00', 0x0, 0x4}}}, {{@...={@...tdev={0xac, 0x1e, 0x0, 0x0}, @local, 0x0, 0x0, 0x0, 0x0, {@...=@...ote}, {}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'veth0_to_bridge\x00', 'geneve1\x00'}, 0xc0, 0x100}, @unspec=@...EEST={0x40, 'RATEEST\x00', 0x0, {'syz0\x00', 0x0, 0x2}}}, {{@...={@...al, @multicast1, 0x0, 0x0, 0x0, 0x0, {}, {@...=@...adcast}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 'veth0_to_batadv\x00', 'veth0_to_hsr\x00'}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@...=@...ote, @mac=@...al, @multicast2, @initdev={0xac, 0x1e, 0x0, 0x0}}}}], {{[], 0xc0, 0xe8}, {0x28}}}}, 0x448)
arptables was buggy at the time this bug has been reported.
Am I understanding correctly the syzbot log?
I wonder if the (buggy) arptables removed the incorrect hook from
nftables, then nftables crashed on the same location when removing the
hook. I don't see a clear sequence for this to happen though.
Would it be possible to make syzbot exercise the NFT_MSG_NEWTABLE
codepath (with NFTA_TABLE_FLAGS) to check if the problem still
persists?
Thanks.
Powered by blists - more mailing lists