From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66736C433DF for ; Sun, 21 Jun 2020 19:53:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3FF4B25254 for ; Sun, 21 Jun 2020 19:53:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="i9oR0b39" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730375AbgFUTxl (ORCPT ); Sun, 21 Jun 2020 15:53:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730288AbgFUTxl (ORCPT ); Sun, 21 Jun 2020 15:53:41 -0400 X-Greylist: delayed 499 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 21 Jun 2020 12:53:41 PDT Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [IPv6:2001:4d48:ad52:32c8:5054:ff:fe00:142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F9C2C061794 for ; Sun, 21 Jun 2020 12:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UYvVtsBPfCIcEvW/lZrMDH7BKzR5W3jcQZqmJvpcKuI=; b=i9oR0b39WFv+j0GRKJv/IGCQc FGSEAUhmE5p42eX/exVwjecvU18CXvTX1WWwl4+rvMKnrUIUBFHUM4LpCvBB+E/tJga/8wrH4Gx14 vAqSC5MONsETnIeY5HK47oXRfvH9KhicO1ficitcNtjrikl1CuKI7N5VHv3WBAIZGuIzuP+qWetnJ B4SFuxXt4FVe0C91uIBVjy263NLr8iyfYtVSOTbEF8rlU0VP0ek6FPDVu0fdK5TMoHiThdUb1iuzl 44PJB5N716TyZBSB4s80H2unuCqliwrId1YmIlWzcrBaXrMdyJ18gVqNICCXRorgjyu4NGb3PhDI/ LAML4uzNg==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:58914) by pandora.armlinux.org.uk with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jn5u1-00086Y-KE; Sun, 21 Jun 2020 20:45:17 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.92) (envelope-from ) id 1jn5ty-0007nC-5M; Sun, 21 Jun 2020 20:45:14 +0100 Date: Sun, 21 Jun 2020 20:45:14 +0100 From: Russell King - ARM Linux admin To: coreteam@netfilter.org, netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org Subject: Re: [PATCH] netfiler: ipset: fix unaligned atomic access Message-ID: <20200621194514.GW1551@shell.armlinux.org.uk> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Gentle ping... This patch fixes a remotely triggerable kernel oops, and as such can be viewed as a remote denial of service attack depending on the netfilter rule setup. On Wed, Jun 10, 2020 at 09:51:11PM +0100, Russell King wrote: > When using ip_set with counters and comment, traffic causes the kernel > to panic on 32-bit ARM: > > Alignment trap: not handling instruction e1b82f9f at [] > Unhandled fault: alignment exception (0x221) at 0xea08133c > PC is at ip_set_match_extensions+0xe0/0x224 [ip_set] > > The problem occurs when we try to update the 64-bit counters - the > faulting address above is not 64-bit aligned. The problem occurs > due to the way elements are allocated, for example: > > set->dsize = ip_set_elem_len(set, tb, 0, 0); > map = ip_set_alloc(sizeof(*map) + elements * set->dsize); > > If the element has a requirement for a member to be 64-bit aligned, > and set->dsize is not a multiple of 8, but is a multiple of four, > then every odd numbered elements will be misaligned - and hitting > an atomic64_add() on that element will cause the kernel to panic. > > ip_set_elem_len() must return a size that is rounded to the maximum > alignment of any extension field stored in the element. This change > ensures that is the case. > > Signed-off-by: Russell King > --- > Patch against v5.6, where I tripped over this bug. This bug has > caused a kernel panic on my new router twice today. > > net/netfilter/ipset/ip_set_core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c > index 8dd17589217d..be9cd6a500fb 100644 > --- a/net/netfilter/ipset/ip_set_core.c > +++ b/net/netfilter/ipset/ip_set_core.c > @@ -459,6 +459,8 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len, > for (id = 0; id < IPSET_EXT_ID_MAX; id++) { > if (!add_extension(id, cadt_flags, tb)) > continue; > + if (align < ip_set_extensions[id].align) > + align = ip_set_extensions[id].align; > len = ALIGN(len, ip_set_extensions[id].align); > set->offset[id] = len; > set->extensions |= ip_set_extensions[id].type; > -- > 2.20.1 > > -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!