* [PATCH net 0/4] Netfilter fixes for net
@ 2022-05-27 9:20 Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-27 9:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
Hi,
The following contain more Netfilter fixes for net:
1) syzbot warning in nfnetlink bind, from Florian.
2) Refetch conntrack after __nf_conntrack_confirm(), from Florian Westphal.
3) Move struct nf_ct_timeout back at the bottom of the ctnl_time, to
where it before recent update, also from Florian.
4) Add NL_SET_BAD_ATTR() to nf_tables netlink for proper set element
commands error reporting.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 02ded5a173619b11728b8bf75a3fd995a2c1ff28:
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register (2022-05-27 08:02:33 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to b53c116642502b0c85ecef78bff4f826a7dd4145:
netfilter: nf_tables: set element extended ACK reporting support (2022-05-27 11:16:38 +0200)
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nfnetlink: fix warn in nfnetlink_unbind
netfilter: conntrack: re-fetch conntrack after insertion
netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit
Pablo Neira Ayuso (1):
netfilter: nf_tables: set element extended ACK reporting support
include/net/netfilter/nf_conntrack_core.h | 7 ++++++-
net/netfilter/nf_tables_api.c | 12 +++++++++---
net/netfilter/nfnetlink.c | 24 +++++-------------------
net/netfilter/nfnetlink_cttimeout.c | 5 +++--
4 files changed, 23 insertions(+), 25 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind
2022-05-27 9:20 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-05-27 9:20 ` Pablo Neira Ayuso
2022-05-27 10:20 ` patchwork-bot+netdevbpf
2022-05-27 9:20 ` [PATCH net 2/4] netfilter: conntrack: re-fetch conntrack after insertion Pablo Neira Ayuso
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-27 9:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
From: Florian Westphal <fw@strlen.de>
syzbot reports following warn:
WARNING: CPU: 0 PID: 3600 at net/netfilter/nfnetlink.c:703 nfnetlink_unbind+0x357/0x3b0 net/netfilter/nfnetlink.c:694
The syzbot generated program does this:
socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = 3
setsockopt(3, SOL_NETLINK, NETLINK_DROP_MEMBERSHIP, [1], 4) = 0
... which triggers 'WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == 0)' check.
Instead of counting, just enable reporting for every bind request
and check if we still have listeners on unbind.
While at it, also add the needed bounds check on nfnl_group2type[]
access.
Reported-by: <syzbot+4903218f7fba0a2d6226@syzkaller.appspotmail.com>
Reported-by: <syzbot+afd2d80e495f96049571@syzkaller.appspotmail.com>
Fixes: 2794cdb0b97b ("netfilter: nfnetlink: allow to detect if ctnetlink listeners exist")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink.c | 24 +++++-------------------
1 file changed, 5 insertions(+), 19 deletions(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index ad3bbe34ca88..2f7c477fc9e7 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -45,7 +45,6 @@ MODULE_DESCRIPTION("Netfilter messages via netlink socket");
static unsigned int nfnetlink_pernet_id __read_mostly;
struct nfnl_net {
- unsigned int ctnetlink_listeners;
struct sock *nfnl;
};
@@ -673,18 +672,8 @@ static int nfnetlink_bind(struct net *net, int group)
#ifdef CONFIG_NF_CONNTRACK_EVENTS
if (type == NFNL_SUBSYS_CTNETLINK) {
- struct nfnl_net *nfnlnet = nfnl_pernet(net);
-
nfnl_lock(NFNL_SUBSYS_CTNETLINK);
-
- if (WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == UINT_MAX)) {
- nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
- return -EOVERFLOW;
- }
-
- nfnlnet->ctnetlink_listeners++;
- if (nfnlnet->ctnetlink_listeners == 1)
- WRITE_ONCE(net->ct.ctnetlink_has_listener, true);
+ WRITE_ONCE(net->ct.ctnetlink_has_listener, true);
nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
}
#endif
@@ -694,15 +683,12 @@ static int nfnetlink_bind(struct net *net, int group)
static void nfnetlink_unbind(struct net *net, int group)
{
#ifdef CONFIG_NF_CONNTRACK_EVENTS
- int type = nfnl_group2type[group];
-
- if (type == NFNL_SUBSYS_CTNETLINK) {
- struct nfnl_net *nfnlnet = nfnl_pernet(net);
+ if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX)
+ return;
+ if (nfnl_group2type[group] == NFNL_SUBSYS_CTNETLINK) {
nfnl_lock(NFNL_SUBSYS_CTNETLINK);
- WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == 0);
- nfnlnet->ctnetlink_listeners--;
- if (nfnlnet->ctnetlink_listeners == 0)
+ if (!nfnetlink_has_listeners(net, group))
WRITE_ONCE(net->ct.ctnetlink_has_listener, false);
nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net 2/4] netfilter: conntrack: re-fetch conntrack after insertion
2022-05-27 9:20 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind Pablo Neira Ayuso
@ 2022-05-27 9:20 ` Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 3/4] netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 4/4] netfilter: nf_tables: set element extended ACK reporting support Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-27 9:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
From: Florian Westphal <fw@strlen.de>
In case the conntrack is clashing, insertion can free skb->_nfct and
set skb->_nfct to the already-confirmed entry.
This wasn't found before because the conntrack entry and the extension
space used to free'd after an rcu grace period, plus the race needs
events enabled to trigger.
Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com>
Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race")
Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_core.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 6406cfee34c2..37866c8386e2 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
int ret = NF_ACCEPT;
if (ct) {
- if (!nf_ct_is_confirmed(ct))
+ if (!nf_ct_is_confirmed(ct)) {
ret = __nf_conntrack_confirm(skb);
+
+ if (ret == NF_ACCEPT)
+ ct = (struct nf_conn *)skb_nfct(skb);
+ }
+
if (ret == NF_ACCEPT && nf_ct_ecache_exist(ct))
nf_ct_deliver_cached_events(ct);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net 3/4] netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit
2022-05-27 9:20 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 2/4] netfilter: conntrack: re-fetch conntrack after insertion Pablo Neira Ayuso
@ 2022-05-27 9:20 ` Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 4/4] netfilter: nf_tables: set element extended ACK reporting support Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-27 9:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
From: Florian Westphal <fw@strlen.de>
syzbot reports:
BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0xcc/0xf0 lib/list_debug.c:42
[..]
list_del include/linux/list.h:148 [inline]
cttimeout_net_exit+0x211/0x540 net/netfilter/nfnetlink_cttimeout.c:617
No reproducer so far. Looking at recent changes in this area
its clear that the free_head must not be at the end of the
structure because nf_ct_timeout structure has variable size.
Reported-by: <syzbot+92968395eedbdbd3617d@syzkaller.appspotmail.com>
Fixes: 78222bacfca9 ("netfilter: cttimeout: decouple unlink and free on netns destruction")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_cttimeout.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index f069c24c6146..af15102bc696 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -35,12 +35,13 @@ static unsigned int nfct_timeout_id __read_mostly;
struct ctnl_timeout {
struct list_head head;
+ struct list_head free_head;
struct rcu_head rcu_head;
refcount_t refcnt;
char name[CTNL_TIMEOUT_NAME_MAX];
- struct nf_ct_timeout timeout;
- struct list_head free_head;
+ /* must be at the end */
+ struct nf_ct_timeout timeout;
};
struct nfct_timeout_pernet {
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net 4/4] netfilter: nf_tables: set element extended ACK reporting support
2022-05-27 9:20 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2022-05-27 9:20 ` [PATCH net 3/4] netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit Pablo Neira Ayuso
@ 2022-05-27 9:20 ` Pablo Neira Ayuso
3 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-27 9:20 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni
Report the element that causes problems via netlink extended ACK for set
element commands.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f296dfe86b62..f4f1d0a2da43 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5348,8 +5348,10 @@ static int nf_tables_getsetelem(struct sk_buff *skb,
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
err = nft_get_set_elem(&ctx, set, attr);
- if (err < 0)
+ if (err < 0) {
+ NL_SET_BAD_ATTR(extack, attr);
break;
+ }
}
return err;
@@ -6126,8 +6128,10 @@ static int nf_tables_newsetelem(struct sk_buff *skb,
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
- if (err < 0)
+ if (err < 0) {
+ NL_SET_BAD_ATTR(extack, attr);
return err;
+ }
}
if (nft_net->validate_state == NFT_VALIDATE_DO)
@@ -6397,8 +6401,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
err = nft_del_setelem(&ctx, set, attr);
- if (err < 0)
+ if (err < 0) {
+ NL_SET_BAD_ATTR(extack, attr);
break;
+ }
}
return err;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind
2022-05-27 9:20 ` [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind Pablo Neira Ayuso
@ 2022-05-27 10:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-05-27 10:20 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Fri, 27 May 2022 11:20:20 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> syzbot reports following warn:
> WARNING: CPU: 0 PID: 3600 at net/netfilter/nfnetlink.c:703 nfnetlink_unbind+0x357/0x3b0 net/netfilter/nfnetlink.c:694
>
> The syzbot generated program does this:
>
> [...]
Here is the summary with links:
- [net,1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind
https://git.kernel.org/netdev/net/c/ffd219efd9ee
- [net,2/4] netfilter: conntrack: re-fetch conntrack after insertion
https://git.kernel.org/netdev/net/c/56b14ecec97f
- [net,3/4] netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit
https://git.kernel.org/netdev/net/c/aeed55a08d0b
- [net,4/4] netfilter: nf_tables: set element extended ACK reporting support
https://git.kernel.org/netdev/net/c/b53c11664250
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-27 10:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-27 9:20 [PATCH net 0/4] Netfilter fixes for net Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 1/4] netfilter: nfnetlink: fix warn in nfnetlink_unbind Pablo Neira Ayuso
2022-05-27 10:20 ` patchwork-bot+netdevbpf
2022-05-27 9:20 ` [PATCH net 2/4] netfilter: conntrack: re-fetch conntrack after insertion Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 3/4] netfilter: cttimeout: fix slab-out-of-bounds read in cttimeout_net_exit Pablo Neira Ayuso
2022-05-27 9:20 ` [PATCH net 4/4] netfilter: nf_tables: set element extended ACK reporting support Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).