lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Dec 2019 20:17:52 -0800 From: Cong Wang <xiyou.wangcong@...il.com> To: Florian Westphal <fw@...len.de> Cc: NetFilter <netfilter-devel@...r.kernel.org>, syzbot+d7358a458d8a81aee898@...kaller.appspotmail.com, syzkaller-bugs <syzkaller-bugs@...glegroups.com>, LKML <linux-kernel@...r.kernel.org>, Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: [PATCH nf] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct On Thu, Dec 26, 2019 at 4:37 PM Florian Westphal <fw@...len.de> wrote: > > We get crash when the targets checkentry function tries to make > use of the network namespace pointer for arptables. > > When the net pointer got added back in 2010, only ip/ip6/ebtables were > changed to initialize it, so arptables has this set to NULL. > > This isn't a problem for normal arptables because no existing > arptables target has a checkentry function that makes use of par->net. > > However, direct users of the setsockopt interface can provide any > target they want as long as its registered for ARP or UNPSEC protocols. > > syzkaller managed to send a semi-valid arptables rule for RATEEST target > which is enough to trigger NULL deref: > > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] PREEMPT SMP KASAN > RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109 > [..] > xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019 > check_target net/ipv4/netfilter/arp_tables.c:399 [inline] > find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline] > translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572 > do_replace net/ipv4/netfilter/arp_tables.c:977 [inline] > do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456 > > Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") > Reported-by: syzbot+d7358a458d8a81aee898@...kaller.appspotmail.com > Signed-off-by: Florian Westphal <fw@...len.de> I was about to send out a same patch. So: Acked-by: Cong Wang <xiyou.wangcong@...il.com> Thanks.
Powered by blists - more mailing lists