lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABRcYmKeo6A+3dmZd9bRp8W3tO9M5cHDpQ13b8aeMkhYr4L64Q@mail.gmail.com>
Date: Wed, 21 Jun 2023 15:07:24 +0200
From: Florent Revest <revest@...omium.org>
To: Florian Westphal <fw@...len.de>
Cc: Pablo Neira Ayuso <pablo@...filter.org>, netfilter-devel@...r.kernel.org, 
	coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
	bpf@...r.kernel.org, kadlec@...filter.org, davem@...emloft.net, 
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, lirongqing@...du.com, 
	daniel@...earbox.net, ast@...nel.org, kpsingh@...nel.org, 
	stable@...r.kernel.org
Subject: Re: [PATCH nf] netfilter: conntrack: Avoid nf_ct_helper_hash uses
 after free

On Wed, Jun 21, 2023 at 1:14 PM Florian Westphal <fw@...len.de> wrote:
>
> Florent Revest <revest@...omium.org> wrote:
> > On Tue, Jun 20, 2023 at 8:35 AM Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > >
> > > On Thu, Jun 15, 2023 at 05:29:18PM +0200, Florent Revest wrote:
> > > > If register_nf_conntrack_bpf() fails (for example, if the .BTF section
> > > > contains an invalid entry), nf_conntrack_init_start() calls
> > > > nf_conntrack_helper_fini() as part of its cleanup path and
> > > > nf_ct_helper_hash gets freed.
> > > >
> > > > Further netfilter modules like netfilter_conntrack_ftp don't check
> > > > whether nf_conntrack initialized correctly and call
> > > > nf_conntrack_helpers_register() which accesses the freed
> > > > nf_ct_helper_hash and causes a uaf.
> > > >
> > > > This patch guards nf_conntrack_helper_register() from accessing
> > > > freed/uninitialized nf_ct_helper_hash maps and fixes a boot-time
> > > > use-after-free.
> > >
> > > How could this possibly happen?
> >
> > Here is one way to reproduce this bug:
> >
> >   # Use nf/main
> >   git clone git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
> >   cd nf
> >
> >   # Start from a minimal config
> >   make LLVM=1 LLVM_IAS=0 defconfig
> >
> >   # Enable KASAN, BTF and nf_conntrack_ftp
> >   scripts/config -e KASAN -e BPF_SYSCALL -e DEBUG_INFO -e
> > DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT -e DEBUG_INFO_BTF -e
> > NF_CONNTRACK_FTP
> >   make LLVM=1 LLVM_IAS=0 olddefconfig
> >
> >   # Build without the LLVM integrated assembler
> >   make LLVM=1 LLVM_IAS=0 -j `nproc`
> >
> > (Note that the use of LLVM_IAS=0, KASAN and BTF is just to trigger a
> > bug in BTF that will be fixed by
> > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=9724160b3942b0a967b91a59f81da5593f28b8ba
> > Independently of that specific BTF bug, it shows how an error in
> > nf_conntrack_bpf can cause a boot-time uaf in netfilter)
> >
> > Then, booting gives me:
> >
> > [    4.624666] BPF: [13893] FUNC asan.module_ctor
> > [    4.625611] BPF: type_id=1
> > [    4.626176] BPF:
> > [    4.626601] BPF: Invalid name
> > [    4.627208] BPF:
> > [    4.627723] ==================================================================
> > [    4.628610] BUG: KASAN: slab-use-after-free in
> > nf_conntrack_helper_register+0x129/0x2f0
> > [    4.628610] Read of size 8 at addr ffff888102d24000 by task swapper/0/1
> > [    4.628610]
>
> Isn't that better than limping along?

Note that this only panics because KASAN instrumentation notices the
use-after-free and makes a lot of noise about it. In a non-debug boot,
this would just silently corrupt random memory instead.

> in this case an initcall is failing and I think panic is preferrable
> to a kernel that behaves like NF_CONNTRACK_FTP=n.

In that case, it seems like what you'd want is
nf_conntrack_standalone_init() to BUG() instead of returning an error
then ? (so you'd never get to NF_CONNTRACK_FTP or any other if
nf_conntrack failed to initialize) If this is the prefered behavior,
then sure, why not.

> AFAICS this problem is specific to NF_CONNTRACK_FTP=y
> (or any other helper module, for that matter).

Even with NF_CONNTRACK_FTP=m, the initialization failure in
nf_conntrack_standalone_init() still happens. Therefore, the helper
hashtable gets freed and when the nf_conntrack_ftp.ko module gets
insmod-ed, it calls nf_conntrack_helpers_register() and this still
causes a use-after-free.

> If you disagree please resend with a commit message that
> makes it clear that this is only relevant for the 'builtin' case.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ