[PATCH net 0/2] Netfilter fixes for net (v2)

[PATCH net 0/2] Netfilter fixes for net (v2)

[Pablo Neira Ayuso]

This is a v2 including a extended PR with one more fix.

-o-

Hi,

This patchset contains Netfilter fixes for net:

1) syzkaller managed to triger UaF due to missing reference on netns in
   bpf infrastructure, from Florian Westphal.

2) Fix incorrect conversion from NFPROTO_UNSPEC to NFPROTO_{IPV4,IPV6}
   in the following xtables targets: MARK and NFLOG. Moreover, add
   missing

I have my half share in this mistake, I did not take the necessary time
to review this: For several years I have been struggling to keep working
on Netfilter, juggling a myriad of side consulting projects to stop
burning my own savings.

I have extended the iptables-tests.py test infrastructure to improve the
coverage of ip6tables and detect similar problems in the future.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-10-21

Thanks.

----------------------------------------------------------------

The following changes since commit cb560795c8c2ceca1d36a95f0d1b2eafc4074e37:

  Merge branch 'mlx5-misc-fixes-2024-10-15' (2024-10-17 12:14:11 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-10-21

for you to fetch changes up to 306ed1728e8438caed30332e1ab46b28c25fe3d8:

  netfilter: xtables: fix typo causing some targets not to load on IPv6 (2024-10-21 11:31:26 +0200)

----------------------------------------------------------------
netfilter pull request 24-10-21

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: bpf: must hold reference on net namespace

Pablo Neira Ayuso (1):
      netfilter: xtables: fix typo causing some targets not to load on IPv6

 net/netfilter/nf_bpf_link.c | 4 ++++
 net/netfilter/xt_NFLOG.c    | 2 +-
 net/netfilter/xt_TRACE.c    | 1 +
 net/netfilter/xt_mark.c     | 2 +-
 4 files changed, 7 insertions(+), 2 deletions(-)

[PATCH net 1/2] netfilter: bpf: must hold reference on net namespace

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
Read of size 8 at addr ffff8880106fe400 by task repro/72=
bpf_nf_link_release+0xda/0x1e0
bpf_link_free+0x139/0x2d0
bpf_link_release+0x68/0x80
__fput+0x414/0xb60

Eric says:
 It seems that bpf was able to defer the __nf_unregister_net_hook()
 after exit()/close() time.
 Perhaps a netns reference is missing, because the netns has been
 dismantled/freed already.
 bpf_nf_link_attach() does :
 link->net = net;
 But I do not see a reference being taken on net.

Add such a reference and release it after hook unreg.
Note that I was unable to get syzbot reproducer to work, so I
do not know if this resolves this splat.

Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
Diagnosed-by: Eric Dumazet <edumazet@google.com>
Reported-by: Lai, Yi <yi1.lai@linux.intel.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_bpf_link.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index 5257d5e7eb09..e5e79a08c10b 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -23,6 +23,7 @@ static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
 struct bpf_nf_link {
 	struct bpf_link link;
 	struct nf_hook_ops hook_ops;
+	netns_tracker ns_tracker;
 	struct net *net;
 	u32 dead;
 	const struct nf_defrag_hook *defrag_hook;
@@ -120,6 +121,7 @@ static void bpf_nf_link_release(struct bpf_link *link)
 	if (!cmpxchg(&nf_link->dead, 0, 1)) {
 		nf_unregister_net_hook(nf_link->net, &nf_link->hook_ops);
 		bpf_nf_disable_defrag(nf_link);
+		put_net_track(nf_link->net, &nf_link->ns_tracker);
 	}
 }
 
@@ -257,6 +259,8 @@ int bpf_nf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
 		return err;
 	}
 
+	get_net_track(net, &link->ns_tracker, GFP_KERNEL);
+
 	return bpf_link_settle(&link_primer);
 }
 
-- 
2.30.2

[PATCH net 2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6

[Pablo Neira Ayuso]

- There is no NFPROTO_IPV6 family for mark and NFLOG.
- TRACE is also missing module autoload with NFPROTO_IPV6.

This results in ip6tables failing to restore a ruleset. This issue has been
reported by several users providing incomplete patches.

Very similar to Ilya Katsnelson's patch including a missing chunk in the
TRACE extension.

Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
Reported-by: Ignat Korchagin <ignat@cloudflare.com>
Reported-by: Ilya Katsnelson <me@0upti.me>
Reported-by: Krzysztof Olędzki <ole@ans.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_NFLOG.c | 2 +-
 net/netfilter/xt_TRACE.c | 1 +
 net/netfilter/xt_mark.c  | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index d80abd6ccaf8..6dcf4bc7e30b 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -79,7 +79,7 @@ static struct xt_target nflog_tg_reg[] __read_mostly = {
 	{
 		.name       = "NFLOG",
 		.revision   = 0,
-		.family     = NFPROTO_IPV4,
+		.family     = NFPROTO_IPV6,
 		.checkentry = nflog_tg_check,
 		.destroy    = nflog_tg_destroy,
 		.target     = nflog_tg,
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index f3fa4f11348c..a642ff09fc8e 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -49,6 +49,7 @@ static struct xt_target trace_tg_reg[] __read_mostly = {
 		.target		= trace_tg,
 		.checkentry	= trace_tg_check,
 		.destroy	= trace_tg_destroy,
+		.me		= THIS_MODULE,
 	},
 #endif
 };
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index f76fe04fc9a4..65b965ca40ea 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -62,7 +62,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
 	{
 		.name           = "MARK",
 		.revision       = 2,
-		.family         = NFPROTO_IPV4,
+		.family         = NFPROTO_IPV6,
 		.target         = mark_tg,
 		.targetsize     = sizeof(struct xt_mark_tginfo2),
 		.me             = THIS_MODULE,
-- 
2.30.2

Re: [PATCH net 0/2] Netfilter fixes for net (v2)

[Pablo Neira Ayuso]

Apologies for incomplete cover letter sentence, see below.

On Mon, Oct 21, 2024 at 11:45:34AM +0200, Pablo Neira Ayuso wrote:
[...]
> Hi,
> 
> This patchset contains Netfilter fixes for net:
> 
> 1) syzkaller managed to triger UaF due to missing reference on netns in
>    bpf infrastructure, from Florian Westphal.
> 
> 2) Fix incorrect conversion from NFPROTO_UNSPEC to NFPROTO_{IPV4,IPV6}
>    in the following xtables targets: MARK and NFLOG. Moreover, add
>    missing
            ^
     missing THIS_MODULE reference to TRACE target.

Re: [PATCH net 2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6

[Linux regression tracking (Thorsten Leemhuis)]

[CCing Greg and the stable list, to ensure he is aware of this, as well
as the regressions list]

On 21.10.24 11:45, Pablo Neira Ayuso wrote:
> - There is no NFPROTO_IPV6 family for mark and NFLOG.
> - TRACE is also missing module autoload with NFPROTO_IPV6.
> 
> This results in ip6tables failing to restore a ruleset. This issue has been
> reported by several users providing incomplete patches.
> 
> Very similar to Ilya Katsnelson's patch including a missing chunk in the
> TRACE extension.
> 
> Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
> [...]

Just FYI as the culprit recently hit various stable series (v6.11.4,
v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like
issues that might be fixed by this to my untrained eyes. I suppose they
won't tell you anything new and maybe you even have seen them, but on
the off-chance that this might not be the case you can find them here:

https://bugzilla.kernel.org/show_bug.cgi?id=219397
https://bugzilla.kernel.org/show_bug.cgi?id=219402
https://bugzilla.kernel.org/show_bug.cgi?id=219409

Ciao, Thorsten

Re: [PATCH net 2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6

[Greg KH]

On Tue, Oct 22, 2024 at 09:39:38AM +0200, Linux regression tracking (Thorsten Leemhuis) wrote:
> [CCing Greg and the stable list, to ensure he is aware of this, as well
> as the regressions list]
> 
> On 21.10.24 11:45, Pablo Neira Ayuso wrote:
> > - There is no NFPROTO_IPV6 family for mark and NFLOG.
> > - TRACE is also missing module autoload with NFPROTO_IPV6.
> > 
> > This results in ip6tables failing to restore a ruleset. This issue has been
> > reported by several users providing incomplete patches.
> > 
> > Very similar to Ilya Katsnelson's patch including a missing chunk in the
> > TRACE extension.
> > 
> > Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
> > [...]
> 
> Just FYI as the culprit recently hit various stable series (v6.11.4,
> v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like
> issues that might be fixed by this to my untrained eyes. I suppose they
> won't tell you anything new and maybe you even have seen them, but on
> the off-chance that this might not be the case you can find them here:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=219397
> https://bugzilla.kernel.org/show_bug.cgi?id=219402
> https://bugzilla.kernel.org/show_bug.cgi?id=219409

Is this commit in linux-next yet?  I looked yesterday but couldn't find
it anywhere...

thanks,

greg k-h

Re: [PATCH net 2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6

[Pablo Neira Ayuso]

Hi Greg,

On Tue, Oct 22, 2024 at 09:44:19AM +0200, Greg KH wrote:
> On Tue, Oct 22, 2024 at 09:39:38AM +0200, Linux regression tracking (Thorsten Leemhuis) wrote:
> > [CCing Greg and the stable list, to ensure he is aware of this, as well
> > as the regressions list]
> > 
> > On 21.10.24 11:45, Pablo Neira Ayuso wrote:
> > > - There is no NFPROTO_IPV6 family for mark and NFLOG.
> > > - TRACE is also missing module autoload with NFPROTO_IPV6.
> > > 
> > > This results in ip6tables failing to restore a ruleset. This issue has been
> > > reported by several users providing incomplete patches.
> > > 
> > > Very similar to Ilya Katsnelson's patch including a missing chunk in the
> > > TRACE extension.
> > > 
> > > Fixes: 0bfcb7b71e73 ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
> > > [...]
> > 
> > Just FYI as the culprit recently hit various stable series (v6.11.4,
> > v6.6.57, v6.1.113, v5.15.168) quite a few reports came in that look like
> > issues that might be fixed by this to my untrained eyes. I suppose they
> > won't tell you anything new and maybe you even have seen them, but on
> > the off-chance that this might not be the case you can find them here:
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=219397
> > https://bugzilla.kernel.org/show_bug.cgi?id=219402
> > https://bugzilla.kernel.org/show_bug.cgi?id=219409
> 
> Is this commit in linux-next yet?  I looked yesterday but couldn't find
> it anywhere...

Not yet, there is a pending PR to reach netdev.git at this moment.

Re: [PATCH net 1/2] netfilter: bpf: must hold reference on net namespace

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Mon, 21 Oct 2024 11:45:35 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
> Read of size 8 at addr ffff8880106fe400 by task repro/72=
> bpf_nf_link_release+0xda/0x1e0
> bpf_link_free+0x139/0x2d0
> bpf_link_release+0x68/0x80
> __fput+0x414/0xb60
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: bpf: must hold reference on net namespace
    https://git.kernel.org/netdev/net/c/1230fe7ad397
  - [net,2/2] netfilter: xtables: fix typo causing some targets not to load on IPv6
    https://git.kernel.org/netdev/net/c/306ed1728e84

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html