Re: [PATH nf v3] netfilter/osf: avoid OOB read

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Wander Lairson Costa <wander@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Florian Westphal <fw@strlen.de>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Fernando Fernandez Mancera <ffmancera@riseup.net>,
	"open list:NETFILTER" <netfilter-devel@vger.kernel.org>,
	"open list:NETFILTER" <coreteam@netfilter.org>,
	"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
	open list <linux-kernel@vger.kernel.org>,
	Lucas Leong <wmliang@infosec.exchange>,
	stable@kernel.org
Subject: Re: [PATH nf v3] netfilter/osf: avoid OOB read
Date: Wed, 6 Sep 2023 00:01:24 +0200	[thread overview]
Message-ID: <20230905220124.GD28379@breakpoint.cc> (raw)
In-Reply-To: <20230901135021.30252-1-wander@redhat.com>

Wander Lairson Costa <wander@redhat.com> wrote:
> The opt_num field is controlled by user mode and is not currently
> validated inside the kernel. An attacker can take advantage of this to
> trigger an OOB read and potentially leak information.
> 
> Also add validation to genre, subtype and version fields.

I was about to apply this but your patch misses the Signed-off-by line.

> Reproducer:
> 
> void install_filter_for_leak()
> {

Please remove this for v4, it only clutters the changelog.

> KASAN report:
> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 linux-6.0-rc4/net/netfilter/nfnetlink_osf.c:88
> Read of size 2 at addr ffff88804bc64272 by task poc/6431
> 
> CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
> Call Trace:
>  <IRQ>
>  __dump_stack linux-6.0-rc4/lib/dump_stack.c:88
>  dump_stack_lvl+0xcd/0x134 linux-6.0-rc4/lib/dump_stack.c:106
>  print_address_description linux-6.0-rc4/mm/kasan/report.c:317
>  print_report.cold+0x2ba/0x6e9 linux-6.0-rc4/mm/kasan/report.c:433
>  kasan_report+0xb1/0x1e0 linux-6.0-rc4/mm/kasan/report.c:495
>  nf_osf_match_one+0xbed/0xd10 linux-6.0-rc4/net/netfilter/nfnetlink_osf.c:88
>  nf_osf_find+0x186/0x2f0 linux-6.0-rc4/net/netfilter/nfnetlink_osf.c:281
>  nft_osf_eval+0x37f/0x590 linux-6.0-rc4/net/netfilter/nft_osf.c:47
>  expr_call_ops_eval linux-6.0-rc4/net/netfilter/nf_tables_core.c:214
>  nft_do_chain+0x2b0/0x1490 linux-6.0-rc4/net/netfilter/nf_tables_core.c:264
>  nft_do_chain_ipv4+0x17c/0x1f0 linux-6.0-rc4/net/netfilter/nft_chain_filter.c:23
>  nf_hook_entry_hookfn linux-6.0-rc4/./include/linux/netfilter.h:142
>  nf_hook_slow+0xc5/0x1f0 linux-6.0-rc4/net/netfilter/core.c:620

You can keep the KASAN splat but please trim it down, anything below
here
doesn't add much value and neither does print_address_description etc.
above.

>  ffff88804bc64300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> 
> ---

git-am chopped everything below off, so

> 
> Fixes: f9324952088f ("netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c")
> Reported-by: Lucas Leong <wmliang@infosec.exchange>
> Cc: stable@kernel.org
> Signed-off-by: Wander Lairson Costa <wander@redhat.com>

The above wasn't there when I looked at 'git log'.

I will fix this up locally, no need to resend,
but please keep this in mind next time.

Thanks!

     prev parent reply	other threads:[~2023-09-05 22:01 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-01 13:50 [PATH nf v3] netfilter/osf: avoid OOB read Wander Lairson Costa
2023-09-05 22:01 ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230905220124.GD28379@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=ffmancera@riseup.net \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=stable@kernel.org \
    --cc=wander@redhat.com \
    --cc=wmliang@infosec.exchange \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.