Re: [PATCH nf] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Juhee Kang <claudiajkang@gmail.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de,
	netfilter-devel@vger.kernel.org, luciano.coelho@nokia.com
Subject: Re: [PATCH nf] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
Date: Mon, 4 Oct 2021 14:01:15 +0200	[thread overview]
Message-ID: <20211004120115.GL2935@breakpoint.cc> (raw)
In-Reply-To: <20211004115101.1579-1-claudiajkang@gmail.com>

Juhee Kang <claudiajkang@gmail.com> wrote:
> Currently, when the rule related to IDLETIMER is added, idletimer_tg timer 
> structure is initialized by kmalloc on executing idletimer_tg_create 
> function. However, in this process timer->timer_type is not defined to 
> a specific value. Thus, timer->timer_type has garbage value and it occurs 
> kernel panic. So, this commit fixes the panic by initializing 
> timer->timer_type using kzalloc instead of kmalloc.
> 
> Test commands:
>     # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
>     $ cat /sys/class/xt_idletimer/timers/test
>       Killed
> 
> Splat looks like:
>     BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
>     Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
>     CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
>     Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>     Call Trace:
>      dump_stack_lvl+0x6e/0x9c
>      kasan_report.cold+0x112/0x117
>      ? alarm_expires_remaining+0x49/0x70
>      __asan_load8+0x86/0xb0
>      alarm_expires_remaining+0x49/0x70
>      idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]

> Fixes: 0902b469bd250 ("netfilter: xtables: idletimer target implementation")

Hmm, I don't think so.

Probably:
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")

?

next prev parent reply	other threads:[~2021-10-04 12:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-04 11:51 [PATCH nf] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Juhee Kang
2021-10-04 12:01 ` Florian Westphal [this message]
2021-10-04 12:06   ` Juhee Kang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211004120115.GL2935@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=claudiajkang@gmail.com \
    --cc=kadlec@netfilter.org \
    --cc=luciano.coelho@nokia.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.