lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 6 Aug 2020 16:28:25 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     John Stultz <john.stultz@...aro.org>,
        David Miller <davem@...emloft.net>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        netdev <netdev@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Todd Kjos <tkjos@...gle.com>,
        Amit Pundir <amit.pundir@...aro.org>
Subject: Re: [GIT] Networking



On 8/6/20 4:17 PM, Eric Dumazet wrote:
> 
> 
> On 8/6/20 2:39 PM, John Stultz wrote:
>> On Wed, Aug 5, 2020 at 6:57 PM David Miller <davem@...emloft.net> wrote:
>>> There is a minor conflict in net/ipv6/ip6_flowlabel.c, it's because of
>>> the commit that did the tree-wide removal of uninitialized_var().  The
>>> resolution is simple, kill all of the conflict markers and content
>>> within, and remove the uninitialized_var() marker that got moved
>>> elsewhere in the file in the net-next tree.
>>>
>>> Otherwise, we have:
>>>
>>> 1) Support 6Ghz band in ath11k driver, from Rajkumar Manoharan.
>>>
>>> 2) Support UDP segmentation in code TSO code, from Eric Dumazet.
>>>
>>> 3) Allow flashing different flash images in cxgb4 driver, from Vishal
>>>    Kulkarni.
>>>
>>> 4) Add drop frames counter and flow status to tc flower offloading,
>>>    from Po Liu.
>>>
>>> 5) Support n-tuple filters in cxgb4, from Vishal Kulkarni.
>>>
>>> 6) Various new indirect call avoidance, from Eric Dumazet and Brian
>>>    Vazquez.
>>>
>>> 7) Fix BPF verifier failures on 32-bit pointer arithmetic, from
>>>    Yonghong Song.
>>>
>>> 8) Support querying and setting hardware address of a port function
>>>    via devlink, use this in mlx5, from Parav Pandit.
>>>
>>> 9) Support hw ipsec offload on bonding slaves, from Jarod Wilson.
>>>
>>> 10) Switch qca8k driver over to phylink, from Jonathan McDowell.
>>>
>>> 11) In bpftool, show list of processes holding BPF FD references to
>>>     maps, programs, links, and btf objects.  From Andrii Nakryiko.
>>>
>>> 12) Several conversions over to generic power management, from Vaibhav
>>>     Gupta.
>>>
>>> 13) Add support for SO_KEEPALIVE et al. to bpf_setsockopt(), from
>>>     Dmitry Yakunin.
>>>
>>> 14) Various https url conversions, from Alexander A. Klimov.
>>>
>>> 15) Timestamping and PHC support for mscc PHY driver, from Antoine
>>>     Tenart.
>>>
>>> 16) Support bpf iterating over tcp and udp sockets, from Yonghong
>>>     Song.
>>>
>>> 17) Support 5GBASE-T i40e NICs, from Aleksandr Loktionov.
>>>
>>> 18) Add kTLS RX HW offload support to mlx5e, from Tariq Toukan.
>>>
>>> 19) Fix the ->ndo_start_xmit() return type to be netdev_tx_t in several
>>>     drivers.  From Luc Van Oostenryck.
>>>
>>> 20) XDP support for xen-netfront, from Denis Kirjanov.
>>>
>>> 21) Support receive buffer autotuning in MPTCP, from Florian Westphal.
>>>
>>> 22) Support EF100 chip in sfc driver, from Edward Cree.
>>>
>>> 23) Add XDP support to mvpp2 driver, from Matteo Croce.
>>>
>>> 24) Support MPTCP in sock_diag, from Paolo Abeni.
>>>
>>> 25) Commonize UDP tunnel offloading code by creating udp_tunnel_nic
>>>     infrastructure, from Jakub Kicinski.
>>>
>>> 26) Several pci_ --> dma_ API conversions, from Christophe JAILLET.
>>>
>>> 27) Add FLOW_ACTION_POLICE support to mlxsw, from Ido Schimmel.
>>>
>>> 28) Add SK_LOOKUP bpf program type, from Jakub Sitnicki.
>>>
>>> 29) Refactor a lot of networking socket option handling code in
>>>     order to avoid set_fs() calls, from Christoph Hellwig.
>>>
>>> 30) Add rfc4884 support to icmp code, from Willem de Bruijn.
>>>
>>> 31) Support TBF offload in dpaa2-eth driver, from Ioana Ciornei.
>>>
>>> 32) Support XDP_REDIRECT in qede driver, from Alexander Lobakin.
>>>
>>> 33) Support PCI relaxed ordering in mlx5 driver, from Aya Levin.
>>>
>>> 34) Support TCP syncookies in MPTCP, from Flowian Westphal.
>>>
>>> 35) Fix several tricky cases of PMTU handling wrt. briding, from
>>>     Stefano Brivio.
>>>
>>> Please pull, thanks a lot!
>>>
>>> The following changes since commit ac3a0c8472969a03c0496ae774b3a29eb26c8d5a:
>>>
>>>   Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2020-08-01 16:47:24 -0700)
>>>
>>> are available in the Git repository at:
>>>
>>>   git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git
>>
>> Hey David, All,
>>   Just as a heads up, after net-next was merged into Linus' tree, I
>> started hitting the following crash on boot on the Dragonboard 845c
>> booting AOSP.
>>
>> I've bisected it down to the net-next merge, but haven't bisected it
>> further yet, as I still have a handful of (unrelated to networking)
>> out of tree patches needed to boot the board.
>>
>> [   19.709492] Unable to handle kernel access to user memory outside
>> uaccess routines at virtual address 0000006f53337070
>> [   19.726539] Mem abort info:
>> [   19.726544]   ESR = 0x9600000f
>> [   19.741323]   EC = 0x25: DABT (current EL), IL = 32 bits
>> [   19.741326]   SET = 0, FnV = 0
>> [   19.761185]   EA = 0, S1PTW = 0
>> [   19.761188] Data abort info:
>> [   19.761190]   ISV = 0, ISS = 0x0000000f
>> [   19.761192]   CM = 0, WnR = 0
>> [   19.761199] user pgtable: 4k pages, 39-bit VAs, pgdp=000000016e9e9000
>> [   19.777584] [0000006f53337070] pgd=000000016e99e003,
>> p4d=000000016e99e003, pud=000000016e99e003, pmd=000000016e99a003,
>> pte=00e800016d3c7f53
>> [   19.789205] Internal error: Oops: 9600000f [#1] PREEMPT SMP
>> [   19.789211] Modules linked in:
>> [   19.797153] CPU: 7 PID: 364 Comm: iptables-restor Tainted: G
>> W         5.8.0-mainline-08255-gf9e74a8eb6f3 #3350
>> [   19.797156] Hardware name: Thundercomm Dragonboard 845c (DT)
>> [   19.797161] pstate: a0400005 (NzCv daif +PAN -UAO BTYPE=--)
>> [   19.797177] pc : do_ipt_set_ctl+0x304/0x610
>> [   19.807891] lr : do_ipt_set_ctl+0x50/0x610
>> [   19.807894] sp : ffffffc0139bbba0
>> [   19.807898] x29: ffffffc0139bbba0 x28: ffffff80f07a3800
>> [   19.846468] x27: 0000000000000000 x26: 0000000000000000
>> [   19.846472] x25: 0000000000000000 x24: 0000000000000698
>> [   19.846476] x23: ffffffec8eb0cc80 x22: 0000000000000040
>> [   19.846480] x21: b400006f53337070 x20: ffffffec8eb0c000
>> [   19.846484] x19: ffffffec8e9e9000 x18: 0000000000000000
>> [   19.846487] x17: 0000000000000000 x16: 0000000000000000
>> [   19.846491] x15: 0000000000000000 x14: 0000000000000000
>> [   19.846495] x13: 0000000000000000 x12: 0000000000000000
>> [   19.846501] x11: 0000000000000000 x10: 0000000000000000
>> [   19.856005] x9 : 0000000000000000 x8 : 0000000000000000
>> [   19.856008] x7 : ffffffec8e9e9d08 x6 : 0000000000000000
>> [   19.856012] x5 : 0000000000000000 x4 : 0000000000000213
>> [   19.856015] x3 : 00000001ffdeffef x2 : 11ded3fb0bb85e00
>> [   19.856019] x1 : 0000000000000027 x0 : 0000008000000000
>> [   19.856024] Call trace:
>> [   19.866319]  do_ipt_set_ctl+0x304/0x610
>> [   19.866327]  nf_setsockopt+0x64/0xa8
>> [   19.866332]  ip_setsockopt+0x21c/0x1710
>> [   19.866338]  raw_setsockopt+0x50/0x1b8
>> [   19.866347]  sock_common_setsockopt+0x50/0x68
>> [   19.882672]  __sys_setsockopt+0x120/0x1c8
>> [   19.882677]  __arm64_sys_setsockopt+0x30/0x40
>> [   19.882686]  el0_svc_common.constprop.3+0x78/0x188
>> [   19.882691]  do_el0_svc+0x80/0xa0
>> [   19.882699]  el0_sync_handler+0x134/0x1a0
>> [   19.901555]  el0_sync+0x140/0x180
>> [   19.901564] Code: aa1503e0 97fffd3e 2a0003f5 17ffff80 (a9401ea6)
>> [   19.901569] ---[ end trace 22010e9688ae248f ]---
>> [   19.913033] Kernel panic - not syncing: Fatal exception
>> [   19.913042] SMP: stopping secondary CPUs
>> [   20.138885] Kernel Offset: 0x2c7d080000 from 0xffffffc010000000
>> [   20.138887] PHYS_OFFSET: 0xfffffffa80000000
>> [   20.138894] CPU features: 0x0040002,2a80a218
>> [   20.138898] Memory Limit: none
>>
>> I'll continue to work on bisecting this down further, but figured I'd
>> share now as you or someone else might be able to tell whats wrong
>> from the trace.
>>
> 
> Can you try at commit c2f12630c60ff33a9cafd221646053fc10ec59b6 ("netfilter: switch nf_setsockopt to sockptr_t") 
> (and right before it)
> 
> do_replace(.... unsigned int len) ignore @len parameter.
> 
> This means that the access_ok() in init_user_sockptr() might have received a too small @size
> 
> Presumably on old kernels your command was silently failing.

Could you try : (patch might be mangled)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f15bc21d730164baf6cd2e8bf982c851685ee3c5..ead2122f5edc5aceae91ff8ee08f4e30e1513def 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1110,6 +1110,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
        void *loc_cpu_entry;
        struct ipt_entry *iter;
 
+       if (len < sizeof(tmp))
+               return -EINVAL;
        if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
                return -EFAULT;
 
@@ -1119,6 +1121,9 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len)
        if (tmp.num_counters == 0)
                return -EINVAL;
 
+       if (len < sizeof(tmp) + tmp.size)
+               return -EINVAL;
+
        tmp.name[sizeof(tmp.name)-1] = 0;
 
        newinfo = xt_alloc_table_info(tmp.size);
@@ -1492,6 +1497,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
        void *loc_cpu_entry;
        struct ipt_entry *iter;
 
+       if (len < sizeof(tmp))
+               return -EINVAL;
        if (copy_from_sockptr(&tmp, arg, sizeof(tmp)) != 0)
                return -EFAULT;
 
@@ -1501,6 +1508,9 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len)
        if (tmp.num_counters == 0)
                return -EINVAL;
 
+       if (len < sizeof(tmp) + tmp.size)
+               return -EINVAL;
+
        tmp.name[sizeof(tmp.name)-1] = 0;
 
        newinfo = xt_alloc_table_info(tmp.size);

Powered by blists - more mailing lists