lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 26 Dec 2019 20:17:52 -0800
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Florian Westphal <fw@...len.de>
Cc:     NetFilter <netfilter-devel@...r.kernel.org>,
        syzbot+d7358a458d8a81aee898@...kaller.appspotmail.com,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH nf] netfilter: arp_tables: init netns pointer in
 xt_tgchk_param struct

On Thu, Dec 26, 2019 at 4:37 PM Florian Westphal <fw@...len.de> wrote:
>
> We get crash when the targets checkentry function tries to make
> use of the network namespace pointer for arptables.
>
> When the net pointer got added back in 2010, only ip/ip6/ebtables were
> changed to initialize it, so arptables has this set to NULL.
>
> This isn't a problem for normal arptables because no existing
> arptables target has a checkentry function that makes use of par->net.
>
> However, direct users of the setsockopt interface can provide any
> target they want as long as its registered for ARP or UNPSEC protocols.
>
> syzkaller managed to send a semi-valid arptables rule for RATEEST target
> which is enough to trigger NULL deref:
>
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109
> [..]
>  xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019
>  check_target net/ipv4/netfilter/arp_tables.c:399 [inline]
>  find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline]
>  translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572
>  do_replace net/ipv4/netfilter/arp_tables.c:977 [inline]
>  do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456
>
> Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
> Reported-by: syzbot+d7358a458d8a81aee898@...kaller.appspotmail.com
> Signed-off-by: Florian Westphal <fw@...len.de>

I was about to send out a same patch.

So:
Acked-by: Cong Wang <xiyou.wangcong@...il.com>

Thanks.

Powered by blists - more mailing lists