| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45ec4684-6b71-49c2-a082-b7f8aba4a804@quicinc.com>
Date: Wed, 25 Oct 2023 22:52:39 +0530
From: Kaustubh Pandey <quic_kapandey@...cinc.com>
To: Pablo Neira Ayuso <pablo@...filter.org>
CC: <mark.tomlinson@...iedtelesis.co.nz>, <netdev@...r.kernel.org>,
<quic_sharathv@...cinc.com>, <quic_subashab@...cinc.com>,
<netfilter-devel@...r.kernel.org>
Subject: Re: KASAN: vmalloc-out-of-bounds in ipt_do_table
On 10/23/2023 3:42 PM, Pablo Neira Ayuso wrote:
> Cc'ing netfilter-devel.
>
> On Mon, Oct 23, 2023 at 03:31:25PM +0530, Kaustubh Pandey wrote:
>> Hi Everyone,
>>
>> We have observed below issue on v5.15 kernel
>>
>> [83180.055298]
>> ==================================================================
>> [83180.055376] BUG: KASAN: vmalloc-out-of-bounds in ipt_do_table+0x43c/0xaf4
>> [83180.055464] Read of size 8 at addr ffffffc02c0f9000 by task Disposer/1686
>> [83180.055544] CPU: 1 PID: 1686 Comm: Disposer Tainted: G S W OE
>> 5.15.78-android13-8-g3d973ad4cc47 #1
>
> This is slightly behind current -stable. Perhaps this is missing?
>
> commit e58a171d35e32e6e8c37cfe0e8a94406732a331f
> Author: Florian Westphal <fw@...len.de>
> Date: Fri Feb 17 23:20:06 2023 +0100
>
> netfilter: ebtables: fix table blob use-after-free
>
>> [83180.055613] Hardware name: Qualcomm Technologies, Inc. Kalama
>> MTP,davinci DVT (DT)
>> [83180.055655] Call trace:
>> [83180.055677] dump_backtrace+0x0/0x3b0
>> [83180.055740] show_stack+0x2c/0x3c
>> [83180.055792] dump_stack_lvl+0x8c/0xa8
>> [83180.055866] print_address_description+0x74/0x384
>> [83180.055940] kasan_report+0x180/0x260
>> [83180.056002] __asan_load8+0xb4/0xb8
>> [83180.056064] ipt_do_table+0x43c/0xaf4
>> [83180.056120] iptable_mangle_hook+0xf4/0x22c
>> [83180.056182] nf_hook_slow+0x90/0x198
>> [83180.056245] ip_mc_output+0x50c/0x67c
>> [83180.056302] ip_send_skb+0x88/0x1bc
>> [83180.056355] udp_send_skb+0x524/0x930
>> [83180.056415] udp_sendmsg+0x126c/0x13ac
>> [83180.056474] udpv6_sendmsg+0x6d4/0x1764
>> [83180.056539] inet6_sendmsg+0x78/0x98
>> [83180.056605] __sys_sendto+0x360/0x450
>> [83180.056667] __arm64_sys_sendto+0x80/0x9c
>> [83180.056725] invoke_syscall+0x80/0x218
>> [83180.056791] el0_svc_common+0x18c/0x1bc
>> [83180.056857] do_el0_svc+0x44/0xfc
>> [83180.056918] el0_svc+0x20/0x50
>> [83180.056966] el0t_64_sync_handler+0x84/0xe4
>> [83180.057020] el0t_64_sync+0x1a4/0x1a8
>> [83180.057110] Memory state around the buggy address:
>> [83180.057150] ffffffc02c0f8f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> f8 f8 f8
>> [83180.057193] ffffffc02c0f8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> f8 f8 f8
>> [83180.057237] >ffffffc02c0f9000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> f8 f8 f8
>> [83180.057269] ^
>> [83180.057304] ffffffc02c0f9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> f8 f8 f8
>> [83180.057345] ffffffc02c0f9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> f8 f8 f8
>> [83180.057378]
>> ==================================================================
>>
>> There are no reproduction steps available for this.
>>
>> I have checked along the lines and see that
>> https://github.com/torvalds/linux/commit/175e476b8cdf2a4de7432583b49c871345e4f8a1
>> is still present in this kernel.
>> Checked around similar lines in latest kernel and still see that
>> implementation hasnt changed much.
>>
>> Can you pls help check if this is a known issue and was fixed in latest
>> or help in pointing out how to debug this further ?
>>
>> Thanks,
>> Kaustubh
>>
Thanks Pablo, I will try after picking the shared change.
I will revert back with results.
Thanks,
Kaustubh
Powered by blists - more mailing lists