From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Lin Ma <linma@zju.edu.cn>
Cc: kadlec@netfilter.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
lucien.xin@gmail.com, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH net] netfilter: nft_tunnel: fix geneve_opt type confusion addition
Date: Wed, 2 Apr 2025 21:18:41 +0200 [thread overview]
Message-ID: <Z-2NkQkl18OSJJuG@calendula> (raw)
In-Reply-To: <20250402170026.9696-1-linma@zju.edu.cn>
Hi,
On Thu, Apr 03, 2025 at 01:00:26AM +0800, Lin Ma wrote:
> When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
> parsing logic should place every geneve_opt structure one by one
> compactly. Hence, when deciding the next geneve_opt position, the
> pointer addition should be in units of char *.
>
> However, the current implementation erroneously does type conversion
> before the addition, which will lead to heap out-of-bounds write.
Patch LGTM, I can take it through nf.git, I am preparing a pull
request now.
Thanks.
> [ 6.989857] ==================================================================
> [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
> [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
> [ 6.991162]
> [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
> [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [ 6.992281] Call Trace:
> [ 6.992423] <TASK>
> [ 6.992586] dump_stack_lvl+0x44/0x5c
> [ 6.992801] print_report+0x184/0x4be
> [ 6.993790] kasan_report+0xc5/0x100
> [ 6.994252] kasan_check_range+0xf3/0x1a0
> [ 6.994486] memcpy+0x38/0x60
> [ 6.994692] nft_tunnel_obj_init+0x977/0xa70
> [ 6.995677] nft_obj_init+0x10c/0x1b0
> [ 6.995891] nf_tables_newobj+0x585/0x950
> [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
> [ 6.998997] nfnetlink_rcv+0x1df/0x220
> [ 6.999537] netlink_unicast+0x395/0x530
> [ 7.000771] netlink_sendmsg+0x3d0/0x6d0
> [ 7.001462] __sock_sendmsg+0x99/0xa0
> [ 7.001707] ____sys_sendmsg+0x409/0x450
> [ 7.002391] ___sys_sendmsg+0xfd/0x170
> [ 7.003145] __sys_sendmsg+0xea/0x170
> [ 7.004359] do_syscall_64+0x5e/0x90
> [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> [ 7.006127] RIP: 0033:0x7ec756d4e407
> [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
> [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
> [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
> [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
> [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
> [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
> [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
>
> Fix this bug with correct pointer addition and conversion.
>
> Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> ---
> net/netfilter/nft_tunnel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 681301b46aa4..2df4b2a02f27 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
> static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
> struct nft_tunnel_opts *opts)
> {
> - struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
> + struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
> struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
> int err, data_len;
>
> --
> 2.17.1
>
next prev parent reply other threads:[~2025-04-02 19:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-02 17:00 [PATCH net] netfilter: nft_tunnel: fix geneve_opt type confusion addition Lin Ma
2025-04-02 19:18 ` Pablo Neira Ayuso [this message]
2025-04-02 20:32 ` Pablo Neira Ayuso
2025-04-03 1:23 ` Lin Ma
2025-04-03 10:34 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-2NkQkl18OSJJuG@calendula \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linma@zju.edu.cn \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.