| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200116135406.v66tcoxfk6z2xqkc@salvia>
Date: Thu, 16 Jan 2020 14:54:06 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Florian Westphal <fw@...len.de>
Cc: netfilter-devel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
netdev@...r.kernel.org,
syzbot+37a6804945a3a13b1572@...kaller.appspotmail.com
Subject: Re: [PATCH nf] netfilter: nf_tables: fix flowtable list del
corruption
On Thu, Jan 16, 2020 at 12:03:01PM +0100, Florian Westphal wrote:
> syzbot reported following crash:
>
> list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122)
> [..]
> Call Trace:
> __list_del_entry include/linux/list.h:131 [inline]
> list_del_rcu include/linux/rculist.h:148 [inline]
> nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183
> [..]
>
> The commit transaction list has:
>
> NFT_MSG_NEWTABLE
> NFT_MSG_NEWFLOWTABLE
> NFT_MSG_DELFLOWTABLE
> NFT_MSG_DELTABLE
>
> A missing generation check during DELTABLE processing causes it to queue
> the DELFLOWTABLE operation a second time, so we corrupt the list here:
>
> case NFT_MSG_DELFLOWTABLE:
> list_del_rcu(&nft_trans_flowtable(trans)->list);
> nf_tables_flowtable_notify(&trans->ctx,
>
> because we have two different DELFLOWTABLE transactions for the same
> flowtable. We then call list_del_rcu() twice for the same flowtable->list.
>
> The object handling seems to suffer from the same bug so add a generation
> check too and only queue delete transactions for flowtables/objects that
> are still active in the next generation.
Applied, thanks.
Powered by blists - more mailing lists