[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1491153268.10124.12.camel@edumazet-glaptop3.roam.corp.google.com>
Date: Sun, 02 Apr 2017 10:14:28 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Denys Fedoryshchenko <nuclearcat@...learcat.com>
Cc: Florian Westphal <fw@...len.de>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
Pablo Neira Ayuso <pablo@...filter.org>,
Patrick McHardy <kaber@...sh.net>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
linux-kernel@...r.kernel.org, netdev-owner@...r.kernel.org
Subject: Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8
On Sun, 2017-04-02 at 19:52 +0300, Denys Fedoryshchenko wrote:
> On 2017-04-02 15:32, Eric Dumazet wrote:
> > On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote:
> >> > */
> >> I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for
> >> curiosity, if this condition are triggered. Is it fine like that?
> >
> > Sure.
>
> It didnt triggered WARN_ON, and with both patches here is one more
> KASAN.
> What i noticed also after this KASAN, there is many others start to
> trigger in TCPMSS and locking up server by flood.
> There is heavy netlink activity, it is pppoe server with lot of shapers.
> I noticed there left sfq by mistake, usually i am removing it, because
> it may trigger kernel panic too (and hard to trace reason).
> I will try with pfifo instead, after 6 hours.
>
> Here is full log with others: https://nuclearcat.com/kasan.txt
>
Could that be that netfilter does not abort earlier if TCP header is
completely wrong ?
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 27241a767f17b4b27d24095a31e5e9a2d3e29ce4..dd64bff38ba8074e6feb2e6e305eacb30ce4c2da 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
tcp_hdrlen = tcph->doff * 4;
- if (len < tcp_hdrlen)
+ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
return -1;
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
Powered by blists - more mailing lists