lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YTkj4xH2Ol075+Ge@eldamar.lan>
Date:   Wed, 8 Sep 2021 22:58:11 +0200
From:   Salvatore Bonaccorso <carnil@...ian.org>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     syzbot <syzbot+ce96ca2b1d0b37c6422d@...kaller.appspotmail.com>,
        coreteam@...filter.org, davem@...emloft.net, fw@...len.de,
        kadlec@...filter.org, kuba@...nel.org,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        netfilter-devel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        stable@...r.kernel.org, elbrus@...ian.org
Subject: Re: [syzbot] general protection fault in nft_set_elem_expr_alloc

Hi Pablo,

On Wed, Jun 02, 2021 at 07:03:17PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Jun 02, 2021 at 09:37:26AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    6850ec97 Merge branch 'mptcp-fixes-for-5-13'
> > git tree:       net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1355504dd00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=770708ea7cfd4916
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ce96ca2b1d0b37c6422d
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1502d517d00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12bbbe13d00000
> > 
> > The issue was bisected to:
> > 
> > commit 05abe4456fa376040f6cc3cc6830d2e328723478
> > Author: Pablo Neira Ayuso <pablo@...filter.org>
> > Date:   Wed May 20 13:44:37 2020 +0000
> > 
> >     netfilter: nf_tables: allow to register flowtable with no devices
> > 
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10fa1387d00000
> > final oops:     https://syzkaller.appspot.com/x/report.txt?x=12fa1387d00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14fa1387d00000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+ce96ca2b1d0b37c6422d@...kaller.appspotmail.com
> > Fixes: 05abe4456fa3 ("netfilter: nf_tables: allow to register flowtable with no devices")
> > 
> > general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> > CPU: 1 PID: 8438 Comm: syz-executor343 Not tainted 5.13.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:nft_set_elem_expr_alloc+0x17e/0x280 net/netfilter/nf_tables_api.c:5321
> > Code: 48 c1 ea 03 80 3c 02 00 0f 85 09 01 00 00 49 8b 9d c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 70 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d9 00 00 00 48 8b 5b 70 48 85 db 74 21 e8 9a bd
> 
> It's a real bug. Bisect is not correct though.
> 
> I'll post a patch to fix it. Thanks.

So if I see it correctly the fix landed in ad9f151e560b ("netfilter:
nf_tables: initialize set before expression setup") in 5.13-rc7 and
landed as well in 5.12.13. The issue is though still present in the
5.10.y series.

Would it be possible to backport the fix as well to 5.10.y? It is
needed there as well.

Regards,
Salvatore

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ