lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 Jan 2020 14:54:06 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Florian Westphal <fw@...len.de>
Cc:     netfilter-devel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        netdev@...r.kernel.org,
        syzbot+37a6804945a3a13b1572@...kaller.appspotmail.com
Subject: Re: [PATCH nf] netfilter: nf_tables: fix flowtable list del
 corruption

On Thu, Jan 16, 2020 at 12:03:01PM +0100, Florian Westphal wrote:
> syzbot reported following crash:
> 
>   list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122)
>   [..]
>   Call Trace:
>    __list_del_entry include/linux/list.h:131 [inline]
>    list_del_rcu include/linux/rculist.h:148 [inline]
>    nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183
>    [..]
> 
> The commit transaction list has:
> 
> NFT_MSG_NEWTABLE
> NFT_MSG_NEWFLOWTABLE
> NFT_MSG_DELFLOWTABLE
> NFT_MSG_DELTABLE
> 
> A missing generation check during DELTABLE processing causes it to queue
> the DELFLOWTABLE operation a second time, so we corrupt the list here:
> 
>   case NFT_MSG_DELFLOWTABLE:
>      list_del_rcu(&nft_trans_flowtable(trans)->list);
>      nf_tables_flowtable_notify(&trans->ctx,
> 
> because we have two different DELFLOWTABLE transactions for the same
> flowtable.  We then call list_del_rcu() twice for the same flowtable->list.
> 
> The object handling seems to suffer from the same bug so add a generation
> check too and only queue delete transactions for flowtables/objects that
> are still active in the next generation.

Applied, thanks.

Powered by blists - more mailing lists