Re: [PATCH net] netfilter: nft_tunnel: fix geneve_opt type confusion addition

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Lin Ma <linma@zju.edu.cn>
Cc: kadlec@netfilter.org, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
	lucien.xin@gmail.com, netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH net] netfilter: nft_tunnel: fix geneve_opt type confusion addition
Date: Wed, 2 Apr 2025 22:32:39 +0200	[thread overview]
Message-ID: <Z-2e1xaxEw3DSZjd@calendula> (raw)
In-Reply-To: <Z-2NkQkl18OSJJuG@calendula>

On Wed, Apr 02, 2025 at 09:18:44PM +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> On Thu, Apr 03, 2025 at 01:00:26AM +0800, Lin Ma wrote:
> > When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
> > parsing logic should place every geneve_opt structure one by one
> > compactly. Hence, when deciding the next geneve_opt position, the
> > pointer addition should be in units of char *.
> > 
> > However, the current implementation erroneously does type conversion
> > before the addition, which will lead to heap out-of-bounds write.
> 
> Patch LGTM, I can take it through nf.git, I am preparing a pull
> request now.

Actually, this chunk is missing in this patch:

diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 2df4b2a02f27..2e40f575aed9 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -625,7 +625,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
                if (!inner)
                        goto failure;
                while (opts->len > offset) {
-                       opt = (struct geneve_opt *)opts->u.data + offset;
+                       opt = (struct geneve_opt *)(opts->u.data + offset);
                        if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
                                         opt->opt_class) ||
                            nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,

> > [    6.989857] ==================================================================
> > [    6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
> > [    6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
> > [    6.991162]
> > [    6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
> > [    6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> > [    6.992281] Call Trace:
> > [    6.992423]  <TASK>
> > [    6.992586]  dump_stack_lvl+0x44/0x5c
> > [    6.992801]  print_report+0x184/0x4be
> > [    6.993790]  kasan_report+0xc5/0x100
> > [    6.994252]  kasan_check_range+0xf3/0x1a0
> > [    6.994486]  memcpy+0x38/0x60
> > [    6.994692]  nft_tunnel_obj_init+0x977/0xa70
> > [    6.995677]  nft_obj_init+0x10c/0x1b0
> > [    6.995891]  nf_tables_newobj+0x585/0x950
> > [    6.996922]  nfnetlink_rcv_batch+0xdf9/0x1020
> > [    6.998997]  nfnetlink_rcv+0x1df/0x220
> > [    6.999537]  netlink_unicast+0x395/0x530
> > [    7.000771]  netlink_sendmsg+0x3d0/0x6d0
> > [    7.001462]  __sock_sendmsg+0x99/0xa0
> > [    7.001707]  ____sys_sendmsg+0x409/0x450
> > [    7.002391]  ___sys_sendmsg+0xfd/0x170
> > [    7.003145]  __sys_sendmsg+0xea/0x170
> > [    7.004359]  do_syscall_64+0x5e/0x90
> > [    7.005817]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> > [    7.006127] RIP: 0033:0x7ec756d4e407
> > [    7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
> > [    7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
> > [    7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
> > [    7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
> > [    7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
> > [    7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
> > [    7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
> > 
> > Fix this bug with correct pointer addition and conversion.
> > 
> > Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
> > Signed-off-by: Lin Ma <linma@zju.edu.cn>
> > ---
> >  net/netfilter/nft_tunnel.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> > index 681301b46aa4..2df4b2a02f27 100644
> > --- a/net/netfilter/nft_tunnel.c
> > +++ b/net/netfilter/nft_tunnel.c
> > @@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
> >  static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
> >  				      struct nft_tunnel_opts *opts)
> >  {
> > -	struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
> > +	struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
> >  	struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
> >  	int err, data_len;
> >  
> > -- 
> > 2.17.1
> >

next prev parent reply	other threads:[~2025-04-02 20:32 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-02 17:00 [PATCH net] netfilter: nft_tunnel: fix geneve_opt type confusion addition Lin Ma
2025-04-02 19:18 ` Pablo Neira Ayuso
2025-04-02 20:32   ` Pablo Neira Ayuso [this message]
2025-04-03  1:23     ` Lin Ma
2025-04-03 10:34       ` Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2df4b2a02f2 dfblob:2e40f575aed )
 OR (
bs:"Re: [PATCH net] netfilter: nft_tunnel: fix geneve_opt type confusion addition" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z-2e1xaxEw3DSZjd@calendula \
    --to=pablo@netfilter.org \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linma@zju.edu.cn \
    --cc=lucien.xin@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.