lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 14 Oct 2020 14:59:47 +0200
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     netfilter-devel@...r.kernel.org, Netdev <netdev@...r.kernel.org>
Subject: iptables userspace API broken due to added value in nf_inet_hooks

Hey Pablo,

In 60a3815da702fd9e4759945f26cce5c47d3967ad, you added another enum
value to nf_inet_hooks:

--- a/include/uapi/linux/netfilter.h
+++ b/include/uapi/linux/netfilter.h
@@ -45,6 +45,7 @@ enum nf_inet_hooks {
       NF_INET_FORWARD,
       NF_INET_LOCAL_OUT,
       NF_INET_POST_ROUTING,
+       NF_INET_INGRESS,
       NF_INET_NUMHOOKS
};

That seems fine, but actually it changes the value of
NF_INET_NUMHOOKS, which is used in struct ipt_getinfo:

/* The argument to IPT_SO_GET_INFO */
struct ipt_getinfo {
       /* Which table: caller fills this in. */
       char name[XT_TABLE_MAXNAMELEN];

       /* Kernel fills these in. */
       /* Which hook entry points are valid: bitmask */
       unsigned int valid_hooks;

       /* Hook entry points: one per netfilter hook. */
       unsigned int hook_entry[NF_INET_NUMHOOKS];

       /* Underflow points. */
       unsigned int underflow[NF_INET_NUMHOOKS];

       /* Number of entries */
       unsigned int num_entries;

       /* Size of entries. */
       unsigned int size;
};

This in turn makes that struct bigger, which means this check in
net/ipv4/netfilter/ip_tables.c fails:

static int get_info(struct net *net, void __user *user, const int *len)
{
       char name[XT_TABLE_MAXNAMELEN];
       struct xt_table *t;
       int ret;

       if (*len != sizeof(struct ipt_getinfo))
               return -EINVAL;

This is affecting my CI, which attempts to use an older iptables with
net-next and fails with:

iptables v1.8.4 (legacy): can't initialize iptables table `filter':
Module is wrong version
Perhaps iptables or your kernel needs to be upgraded.

Is this kind of breakage okay? If there's an exception carved out for
breaking the iptables API, just let me know, and I'll look into making
adjustments to work around it in my CI. On the other hand, if this
breakage was unintentional, now you know.

Jason

Powered by blists - more mailing lists