From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com,
Paolo Abeni <pabeni@redhat.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 3.18 08/25] netfilter: nat: cope with negative port range
Date: Fri, 16 Mar 2018 16:22:55 +0100 [thread overview]
Message-ID: <20180316152233.096672405@linuxfoundation.org> (raw)
In-Reply-To: <20180316152232.750180431@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit db57ccf0f2f4624b4c4758379f8165277504fbd7 upstream.
syzbot reported a division by 0 bug in the netfilter nat code:
divide error: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530
net/netfilter/nf_nat_proto_common.c:88
RSP: 0018:ffff8801b2466778 EFLAGS: 00010246
RAX: 000000000000f153 RBX: ffff8801b2466dd8 RCX: ffff8801b2466c7c
RDX: 0000000000000000 RSI: ffff8801b2466c58 RDI: ffff8801db5293ac
RBP: ffff8801b24667d8 R08: ffff8801b8ba6dc0 R09: ffffffff88af5900
R10: ffff8801b24666f0 R11: 0000000000000000 R12: 000000002990f153
R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801b2466c7c
FS: 00000000017e3880(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208fdfe4 CR3: 00000001b5340002 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
dccp_unique_tuple+0x40/0x50 net/netfilter/nf_nat_proto_dccp.c:30
get_unique_tuple+0xc28/0x1c10 net/netfilter/nf_nat_core.c:362
nf_nat_setup_info+0x1c2/0xe00 net/netfilter/nf_nat_core.c:406
nf_nat_redirect_ipv6+0x306/0x730 net/netfilter/nf_nat_redirect.c:124
redirect_tg6+0x7f/0xb0 net/netfilter/xt_REDIRECT.c:34
ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365
ip6table_nat_do_chain+0x65/0x80 net/ipv6/netfilter/ip6table_nat.c:41
nf_nat_ipv6_fn+0x594/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:302
nf_nat_ipv6_local_fn+0x33/0x5d0
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook include/linux/netfilter.h:243 [inline]
NF_HOOK include/linux/netfilter.h:286 [inline]
ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
dccp_connect+0x369/0x670 net/dccp/output.c:564
dccp_v6_connect+0xe17/0x1bf0 net/dccp/ipv6.c:946
__inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620
inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684
SYSC_connect+0x213/0x4a0 net/socket.c:1639
SyS_connect+0x24/0x30 net/socket.c:1620
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x441c69
RSP: 002b:00007ffe50cc0be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000441c69
RDX: 000000000000001c RSI: 00000000208fdfe4 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000538 R11: 0000000000000217 R12: 0000000000403590
R13: 0000000000403620 R14: 0000000000000000 R15: 0000000000000000
Code: 48 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 46 02 00 00 48 8b
45 c8 44 0f b7 20 e8 88 97 04 fd 31 d2 41 0f b7 c4 4c 89 f9 <41> f7 f6 48
c1 e9 03 48 b8 00 00 00 00 00 fc ff df 0f b6 0c 01
RIP: nf_nat_l4proto_unique_tuple+0x291/0x530
net/netfilter/nf_nat_proto_common.c:88 RSP: ffff8801b2466778
The problem is that currently we don't have any check on the
configured port range. A port range == -1 triggers the bug, while
other negative values may require a very long time to complete the
following loop.
This commit addresses the issue swapping the two ends on negative
ranges. The check is performed in nf_nat_l4proto_unique_tuple() since
the nft nat loads the port values from nft registers at runtime.
v1 -> v2: use the correct 'Fixes' tag
v2 -> v3: update commit message, drop unneeded READ_ONCE()
Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack")
Reported-by: syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_nat_proto_common.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const s
const struct nf_conn *ct,
u16 *rover)
{
- unsigned int range_size, min, i;
+ unsigned int range_size, min, max, i;
__be16 *portptr;
u_int16_t off;
@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const s
}
} else {
min = ntohs(range->min_proto.all);
- range_size = ntohs(range->max_proto.all) - min + 1;
+ max = ntohs(range->max_proto.all);
+ if (unlikely(max < min))
+ swap(max, min);
+ range_size = max - min + 1;
}
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
next prev parent reply other threads:[~2018-03-16 15:26 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 15:22 [PATCH 3.18 00/25] 3.18.100-stable review Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 01/25] scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 02/25] MIPS: BMIPS: Do not mask IPIs during suspend Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 03/25] Input: matrix_keypad - fix race when disabling interrupts Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 04/25] x86/MCE: Serialize sysfs changes Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 05/25] ALSA: seq: Dont allow resizing pool in use Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 06/25] ALSA: seq: More protection for concurrent write and ioctl races Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 07/25] netfilter: x_tables: fix missing timer initialization in xt_LED Greg Kroah-Hartman
2018-03-16 15:22 ` Greg Kroah-Hartman [this message]
2018-03-16 15:22 ` [PATCH 3.18 09/25] netfilter: IDLETIMER: be syzkaller friendly Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 10/25] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 11/25] netfilter: bridge: ebt_among: add missing match size checks Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 12/25] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 13/25] ubi: Fix race condition between ubi volume creation and udev Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 14/25] scripts: recordmcount: break hardlinks Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 15/25] x86/module: Detect and skip invalid relocations Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 16/25] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 17/25] serial: sh-sci: prevent lockup on full TTY buffers Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 18/25] tty/serial: atmel: add new version check for usart Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 19/25] uas: fix comparison for error code Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 20/25] staging: android: ashmem: Fix lockdep issue during llseek Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 21/25] usb: quirks: add control message delay for 1b1c:1b20 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 22/25] USB: usbmon: remove assignment from IS_ERR argument Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 23/25] usb: usbmon: Read text within supplied buffer size Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 24/25] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 25/25] fixup: sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-16 19:21 ` [PATCH 3.18 00/25] 3.18.100-stable review Harsh Shandilya
2018-03-18 10:14 ` Greg Kroah-Hartman
2018-03-16 21:00 ` kernelci.org bot
2018-03-17 14:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180316152233.096672405@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox