lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 16 Feb 2019 00:06:26 +0100
From:   Davide Caratti <dcaratti@...hat.com>
To:     Jamal Hadi Salim <jhs@...atatu.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Jiri Pirko <jiri@...nulli.us>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Vlad Buslov <vladbu@...lanox.com>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org
Subject: [PATCH RFC 0/5] net/sched: validate the control action with all the other parameters

currently, the kernel checks for bad values of the control action in
tcf_action_init_1(), after a successful call to the action's init()
function. This causes three bad behaviors:

1. the "half configuration"
   if the action is overwritten, the new configuration data are
   applied successfully

    # tc action add action gact drop index 100
    # tc action replace action gact goto chain 66 index 100 \
    > cookie aabbccdd
    Error: Failed to init TC action chain
    We have an error talking to the kernel
    # tc action show action gact
    total acts 1
     action order 0: gact action goto chain 66
     random type none pass val 0
     index 100 ref 1 bind 0
    cookie aabbccdd

2. a "refcount leak that makes kmemleak complain"
   when a valid 'goto chain' action is overwritten with another 'goto chain'
   action, the kernel leaks two refcounts.
   
   # tc chain add dev dd0 chain 42 ingress protocol ip flower \
   > ip_proto tcp action drop
   # tc chain add dev dd0 chain 43 ingress protocol ip flower \
   > ip_proto udp action drop
   # tc filter add dev dd0 ingress matchall \
   > action goto chain 42 index 66
   # tc action replace action gact goto chain 43 index 66
   Error: Failed to init TC action chain.     
   We have an error talking to the kernel

   # echo scan >/sys/kernel/debug/kmemleak
   <...>
   unreferenced object 0xffff93c0ee09f000 (size 1024):
   comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00  ................
   backtrace:
     [<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
     [<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
     [<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
     [<000000006126a348>] netlink_unicast+0x1a0/0x250
     [<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
     [<00000000a25a2171>] sock_sendmsg+0x36/0x40
     [<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
     [<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
     [<000000007a6c61f9>] do_syscall_64+0x5b/0x180
     [<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
     [<0000000013eaa334>] 0xffffffffffffffff

3. a "kernel crash in the traffic plane"
   when an action is overwritten with an invalid 'goto chain' action,
   packets hitting the new rule will trigger a NULL pointer dereference:

   # tc qdisc add dev crash0 clsact
   # tc filter add dev crash0 egress matchall action csum icmp index 6
   # tc action replace action csum icmp goto chain 42 index 6 cookie c1a0c1a0
   # ping 1.2.3.4 -Icrash0

   BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
   #PF error: [normal kernel read fault]
   PGD 0 P4D 0
   Oops: 0000 [#1] SMP PTI
   CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.0.0-rc4.splash #516
   Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
   RIP: 0010:tcf_action_exec+0xb5/0x100
   Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3
   RSP: 0018:ffff99933da03be0 EFLAGS: 00010246
   RAX: 000000002000002a RBX: ffff99933c463300 RCX: 0000000000003a00
   RDX: 0000000000000000 RSI: ffff9992ebda2828 RDI: ffff9992ebda2818
   RBP: ffff99933da03c80 R08: 0000000032250000 R09: 0000000000000003
   R10: 000000000000003f R11: 0000000000000028 R12: ffff9992ed22c100
   R13: ffff9992ed22c108 R14: 0000000000000001 R15: ffff9993339919c0
   FS:  0000000000000000(0000) GS:ffff99933da00000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 0000000000000000 CR3: 0000000005a0e004 CR4: 00000000001606f0
   Call Trace:
    <IRQ>
    tcf_classify+0x58/0x110
    __dev_queue_xmit+0x407/0x890
    ? ip6_finish_output2+0x366/0x590
    ip6_finish_output2+0x366/0x590
    ? ip6_output+0x68/0x110
    ip6_output+0x68/0x110
    ? nf_hook.constprop.35+0x79/0xc0
    mld_sendpack+0x16f/0x220
    mld_ifc_timer_expire+0x195/0x2c0
    ? igmp6_timer_handler+0x70/0x70
    call_timer_fn+0x2b/0x130
    run_timer_softirq+0x3e8/0x440
    ? tick_sched_timer+0x37/0x70
    __do_softirq+0xe3/0x2f5
    irq_exit+0xf0/0x100
    smp_apic_timer_interrupt+0x6c/0x130
    apic_timer_interrupt+0xf/0x20
    </IRQ>
   RIP: 0010:native_safe_halt+0x2/0x10
   Code: 74 ff ff ff 7f f3 c3 65 48 8b 04 25 00 5c 01 00 f0 80 48 02 20 48 8b 00 a8 08 74 8b eb c1 90 90 90 90 90 90 90 90 90 90 fb f4 <c3> 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f4 c3 90 90 90 90 90 90
   RSP: 0018:ffffffff8be03e98 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
   RAX: ffffffff8b417730 RBX: 0000000000000000 RCX: 7ffffb503267b27c
   RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff99933da1d240
   RBP: 0000000000000000 R08: 000c515677542b91 R09: 0000000000000000
   R10: ffffb312c0cffd98 R11: 0000000000000001 R12: 0000000000000000

all these three problems can be fixed if we validate the control action
in the init() function, in the same way as we are already doing for all
the other parameters.

- patch 1 is a temporary fix for problem 2), but it's reverted at the
  end of the series
- we need to refcount and unrefcount chains within init(): patch 2
  extends the init() prototype to correctly handle 'goto chain' control
  actions.
- patch 3 to [n] fix all the actions, providing a proper error path in
  case of bad control action, thus providing a fix for problems 1), 2)
  and 3)
- patch [n+1] removes two if statements in tcf_action_init_1() causing
  the above problems:
    if (TC_ACT_EXT_CMP(a->tcfa_action, TC_ACT_GOTO_CHAIN)) {
     ....
    }
    
    and
    if (!tcf_action_valid(a->tcfa_action)) {
     ....
    }
  as they are not not needed anymore, and for the same reason reverts
  patch 1.

This RFC series fixes only csum, bpf and gact - so it stops with n=5.
In case there are not objections, I will prepare a series fixing all
the actions and send it targeting the 'net' tree (or also 'net-next',
this behavior is reproducible since the first introduction of 'goto
action').

Any feedback is appreciated, thank you in advance!

Davide Caratti (5):
  net/sched: fix refcount leak when 'goto_chain' is used
  net/sched: prepare TC actions to properly validate the control action
  net/sched: act_bpf: validate the control action inside init()
  net/sched: act_csum: validate the control action inside init()
  net/sched: act_gact: validate the control action inside init()

 include/net/act_api.h      |  9 +++++-
 net/sched/act_api.c        | 63 ++++++++++++++++++++++++++++++++++++--
 net/sched/act_bpf.c        | 12 ++++++--
 net/sched/act_connmark.c   |  1 +
 net/sched/act_csum.c       | 22 ++++++++++---
 net/sched/act_gact.c       | 17 ++++++++--
 net/sched/act_ife.c        |  2 +-
 net/sched/act_ipt.c        | 11 ++++---
 net/sched/act_mirred.c     |  1 +
 net/sched/act_nat.c        |  3 +-
 net/sched/act_pedit.c      |  2 +-
 net/sched/act_police.c     |  1 +
 net/sched/act_sample.c     |  2 +-
 net/sched/act_simple.c     |  2 +-
 net/sched/act_skbedit.c    |  1 +
 net/sched/act_skbmod.c     |  1 +
 net/sched/act_tunnel_key.c |  1 +
 net/sched/act_vlan.c       |  2 +-
 18 files changed, 131 insertions(+), 22 deletions(-)

-- 
2.20.1

Powered by blists - more mailing lists