lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <9a91603a-7b8f-4c6d-9012-497335e4373b@app.fastmail.com>
Date:   Tue, 25 Oct 2022 00:19:55 -0600
From:   "Daniel Xu" <dxu@...uu.xyz>
To:     "Pablo Neira Ayuso" <pablo@...filter.org>,
        "Jozsef Kadlecsik" <kadlec@...filter.org>,
        "Florian Westphal" <fw@...len.de>, netfilter-devel@...r.kernel.org
Cc:     coreteam@...filter.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, ppenkov@...atrix.com
Subject: ip_set_hash_netiface

Hi Pablo,

I'm following up with our hallway chat yesterday about how ipset
hash:net,iface can easily OOM.

Here's a quick reproducer (stolen from
https://bugzilla.kernel.org/show_bug.cgi?id=199107):

        $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0
        $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done

This used to cause a NULL ptr deref panic before
https://github.com/torvalds/linux/commit/2b33d6ffa9e38f344418976b06 .

Now it'll either allocate a huge amount of memory or fail a
vmalloc():

        [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages
        <...>
        [Tue Oct 25 00:13:08 2022] Call Trace:
        [Tue Oct 25 00:13:08 2022]  <TASK>
        [Tue Oct 25 00:13:08 2022]  dump_stack_lvl+0x48/0x60
        [Tue Oct 25 00:13:08 2022]  warn_alloc+0x155/0x180
        [Tue Oct 25 00:13:08 2022]  __vmalloc_node_range+0x72a/0x760
        [Tue Oct 25 00:13:08 2022]  ? hash_netiface4_add+0x7c0/0xb20
        [Tue Oct 25 00:13:08 2022]  ? __kmalloc_large_node+0x4a/0x90
        [Tue Oct 25 00:13:08 2022]  kvmalloc_node+0xa6/0xd0
        [Tue Oct 25 00:13:08 2022]  ? hash_netiface4_resize+0x99/0x710
        <...>

Note that this behavior is somewhat documented
(https://ipset.netfilter.org/ipset.man.html):

>  The internal restriction of the hash:net,iface set type is that the same
>  network prefix cannot be stored with more than 64 different interfaces
>  in a single set.

I'm not sure how hard it would be to enforce a limit, but I think it would
be a bit better to error than allocate many GBs of memory.

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ