From: Florian Westphal <fw@strlen.de>
To: Florent Revest <revest@chromium.org>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, lirongqing@baidu.com, wangli39@baidu.com,
zhangyu31@baidu.com, daniel@iogearbox.net, ast@kernel.org,
kpsingh@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
Date: Wed, 21 Jun 2023 13:14:54 +0200 [thread overview]
Message-ID: <20230621111454.GB24035@breakpoint.cc> (raw)
In-Reply-To: <CABRcYmJjv-JoadtzZwU5A+SZwbmbgnzWb27UNZ-UC+9r+JnVxg@mail.gmail.com>
Florent Revest <revest@chromium.org> wrote:
> On Tue, Jun 20, 2023 at 8:35 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Thu, Jun 15, 2023 at 05:29:18PM +0200, Florent Revest wrote:
> > > If register_nf_conntrack_bpf() fails (for example, if the .BTF section
> > > contains an invalid entry), nf_conntrack_init_start() calls
> > > nf_conntrack_helper_fini() as part of its cleanup path and
> > > nf_ct_helper_hash gets freed.
> > >
> > > Further netfilter modules like netfilter_conntrack_ftp don't check
> > > whether nf_conntrack initialized correctly and call
> > > nf_conntrack_helpers_register() which accesses the freed
> > > nf_ct_helper_hash and causes a uaf.
> > >
> > > This patch guards nf_conntrack_helper_register() from accessing
> > > freed/uninitialized nf_ct_helper_hash maps and fixes a boot-time
> > > use-after-free.
> >
> > How could this possibly happen?
>
> Here is one way to reproduce this bug:
>
> # Use nf/main
> git clone git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
> cd nf
>
> # Start from a minimal config
> make LLVM=1 LLVM_IAS=0 defconfig
>
> # Enable KASAN, BTF and nf_conntrack_ftp
> scripts/config -e KASAN -e BPF_SYSCALL -e DEBUG_INFO -e
> DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT -e DEBUG_INFO_BTF -e
> NF_CONNTRACK_FTP
> make LLVM=1 LLVM_IAS=0 olddefconfig
>
> # Build without the LLVM integrated assembler
> make LLVM=1 LLVM_IAS=0 -j `nproc`
>
> (Note that the use of LLVM_IAS=0, KASAN and BTF is just to trigger a
> bug in BTF that will be fixed by
> https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=9724160b3942b0a967b91a59f81da5593f28b8ba
> Independently of that specific BTF bug, it shows how an error in
> nf_conntrack_bpf can cause a boot-time uaf in netfilter)
>
> Then, booting gives me:
>
> [ 4.624666] BPF: [13893] FUNC asan.module_ctor
> [ 4.625611] BPF: type_id=1
> [ 4.626176] BPF:
> [ 4.626601] BPF: Invalid name
> [ 4.627208] BPF:
> [ 4.627723] ==================================================================
> [ 4.628610] BUG: KASAN: slab-use-after-free in
> nf_conntrack_helper_register+0x129/0x2f0
> [ 4.628610] Read of size 8 at addr ffff888102d24000 by task swapper/0/1
> [ 4.628610]
Isn't that better than limping along?
in this case an initcall is failing and I think panic is preferrable
to a kernel that behaves like NF_CONNTRACK_FTP=n.
AFAICS this problem is specific to NF_CONNTRACK_FTP=y
(or any other helper module, for that matter).
If you disagree please resend with a commit message that
makes it clear that this is only relevant for the 'builtin' case.
next prev parent reply other threads:[~2023-06-21 11:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-15 15:29 [PATCH nf] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Florent Revest
2023-06-20 6:35 ` Pablo Neira Ayuso
2023-06-21 10:20 ` Florent Revest
2023-06-21 11:12 ` Pablo Neira Ayuso
2023-06-21 12:41 ` Florent Revest
2023-06-21 11:14 ` Florian Westphal [this message]
2023-06-21 13:07 ` Florent Revest
2023-06-21 18:47 ` Florian Westphal
2023-07-03 14:42 ` Florent Revest
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230621111454.GB24035@breakpoint.cc \
--to=fw@strlen.de \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=coreteam@netfilter.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kadlec@netfilter.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lirongqing@baidu.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=revest@chromium.org \
--cc=stable@vger.kernel.org \
--cc=wangli39@baidu.com \
--cc=zhangyu31@baidu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.