| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Oct 2022 14:26:08 +0200 (CEST)
From: Jozsef Kadlecsik <kadlec@...filter.org>
To: Daniel Xu <dxu@...uu.xyz>
cc: Pablo Neira Ayuso <pablo@...filter.org>,
Florian Westphal <fw@...len.de>,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
ppenkov@...atrix.com
Subject: Re: ip_set_hash_netiface
Hi Daniel,
On Tue, 25 Oct 2022, Daniel Xu wrote:
> I'm following up with our hallway chat yesterday about how ipset
> hash:net,iface can easily OOM.
>
> Here's a quick reproducer (stolen from
> https://bugzilla.kernel.org/show_bug.cgi?id=199107):
>
> $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0
> $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done
>
> This used to cause a NULL ptr deref panic before
> https://github.com/torvalds/linux/commit/2b33d6ffa9e38f344418976b06 .
>
> Now it'll either allocate a huge amount of memory or fail a
> vmalloc():
>
> [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages
> <...>
> [Tue Oct 25 00:13:08 2022] Call Trace:
> [Tue Oct 25 00:13:08 2022] <TASK>
> [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60
> [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180
> [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760
> [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20
> [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90
> [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0
> [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710
> <...>
>
> Note that this behavior is somewhat documented
> (https://ipset.netfilter.org/ipset.man.html):
>
> > The internal restriction of the hash:net,iface set type is that the same
> > network prefix cannot be stored with more than 64 different interfaces
> > in a single set.
>
> I'm not sure how hard it would be to enforce a limit, but I think it would
> be a bit better to error than allocate many GBs of memory.
That's a bug, actually the limit is not enforced in spite of the
documentation. The next patch fixes it and I'm going to submit to Pablo:
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 6e391308431d..3f8853ed32e9 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -61,10 +61,6 @@ tune_bucketsize(u8 curr, u32 multi)
*/
return n > curr && n <= AHASH_MAX_TUNED ? n : curr;
}
-#define TUNE_BUCKETSIZE(h, multi) \
- ((h)->bucketsize = tune_bucketsize((h)->bucketsize, multi))
-#else
-#define TUNE_BUCKETSIZE(h, multi)
#endif
/* A hash bucket */
@@ -936,7 +932,11 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
goto set_full;
/* Create a new slot */
if (n->pos >= n->size) {
- TUNE_BUCKETSIZE(h, multi);
+#ifdef IP_SET_HASH_WITH_MULTI
+ if (h->bucketsize >= AHASH_MAX_TUNED)
+ goto set_full;
+ h->bucketsize = tune_bucketsize(h->bucketsize, multi);
+#endif
if (n->size >= AHASH_MAX(h)) {
/* Trigger rehashing */
mtype_data_next(&h->next, d);
Best regards,
Jozsef
-
E-mail : kadlec@...ckhole.kfki.hu, kadlecsik.jozsef@...ner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
Powered by blists - more mailing lists