From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=XS9s=SP=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,
	URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 39BA9C10F11
	for <stable@archiver.kernel.org>; Sat, 13 Apr 2019 13:35:16 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 0150A2171F
	for <stable@archiver.kernel.org>; Sat, 13 Apr 2019 13:35:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1555162516;
	bh=+WNoB01dS7SYTuqezSR6DTDtCfFptzryRPIubel1jbM=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From;
	b=O4ELbVDql3nyeCly0QtVvTO7gvjS4Pgonu6e4GuRY+RLrVYBo0tHiDw1A7sUT6OFZ
	 R2xrg2tRUAE2v85z7Qnt6hTQyrajPCOSBUbmnsWht5Li6qDBFQrGbUemHxKem+BRUm
	 Rd5znfnJvzNDiLOBqJ4AA3bznSa0VCHLs2GZ4mOE=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727113AbfDMNfP (ORCPT <rfc822;stable@archiver.kernel.org>);
        Sat, 13 Apr 2019 09:35:15 -0400
Received: from mail.kernel.org ([198.145.29.99]:50106 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726992AbfDMNfP (ORCPT <rfc822;stable@vger.kernel.org>);
        Sat, 13 Apr 2019 09:35:15 -0400
Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id CEB77206B7;
        Sat, 13 Apr 2019 13:35:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1555162514;
        bh=+WNoB01dS7SYTuqezSR6DTDtCfFptzryRPIubel1jbM=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=mZDS5E7RKrfGk/9+YjQn5T0t1fpKqYN1Pmu69gHO7/NI03z7cuvrprqM5XJRfE2Ot
         NXVaVQo1E49rjPs08cTMswCMTu+j3xKvfK+9rqSt3Tv/ciA3IWAN5Pxb0g8Sr+GyhH
         iqcJsDBDl9cjzGgNnvuiUks5AXzJxWk6LZwehvIA=
Date:   Sat, 13 Apr 2019 09:35:12 -0400
From:   Sasha Levin <sashal@kernel.org>
To:     Zubin Mithra <zsm@chromium.org>
Cc:     stable@vger.kernel.org, gregkh@linuxfoundation.org,
        groeck@chromium.org, pablo@netfilter.org, fw@strlen.de,
        eric.dumazet@gmail.com, kadlec@blackhole.kfki.hu,
        davem@davemloft.net
Subject: Re: [PATCH v4.19.y 1/2] netfilter: nfnetlink_cttimeout: pass default
 timeout policy to obj_to_nlattr
Message-ID: <20190413133512.GT11568@sasha-vm>
References: <20190412175503.132995-1-zsm@chromium.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20190412175503.132995-1-zsm@chromium.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

On Fri, Apr 12, 2019 at 10:55:02AM -0700, Zubin Mithra wrote:
>From: Pablo Neira Ayuso <pablo@netfilter.org>
>
>commit 8866df9264a34e675b4ee8a151db819b87cce2d3 upstream
>
>Otherwise, we hit a NULL pointer deference since handlers always assume
>default timeout policy is passed.
>
>  netlink: 24 bytes leftover after parsing attributes in process `syz-executor2'.
>  kasan: CONFIG_KASAN_INLINE enabled
>  kasan: GPF could be caused by NULL-ptr deref or user memory access
>  general protection fault: 0000 [#1] PREEMPT SMP KASAN
>  CPU: 0 PID: 9575 Comm: syz-executor1 Not tainted 4.19.0+ #312
>  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>  RIP: 0010:icmp_timeout_obj_to_nlattr+0x77/0x170 net/netfilter/nf_conntrack_proto_icmp.c:297
>
>Fixes: c779e849608a ("netfilter: conntrack: remove get_timeout() indirection")
>Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
>Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>Signed-off-by: Zubin Mithra <zsm@chromium.org>
>---
>Notes:
>* Syzkaller reported a general protection fault in icmp_timeout_obj_to_nlattri
>when fuzzing a 4.19 kernel.
>Call Trace:
> cttimeout_default_fill_info net/netfilter/nfnetlink_cttimeout.c:424 [inline]
> cttimeout_default_get+0x574/0x766 net/netfilter/nfnetlink_cttimeout.c:471
> nfnetlink_rcv_msg+0x544/0x5bd net/netfilter/nfnetlink.c:228
> netlink_rcv_skb+0x1cf/0x2a1 net/netlink/af_netlink.c:2454
> nfnetlink_rcv+0x30f/0x34a net/netfilter/nfnetlink.c:560
> netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
> netlink_unicast+0x3c5/0x4c3 net/netlink/af_netlink.c:1343
> netlink_sendmsg+0x829/0x88e net/netlink/af_netlink.c:1908
> sock_sendmsg_nosec+0x8c/0xad net/socket.c:621
> sock_sendmsg+0x4f/0x60 net/socket.c:631
> ___sys_sendmsg+0x4d6/0x63f net/socket.c:2116
> __sys_sendmsg+0xee/0x17b net/socket.c:2154
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>* This patch resolves the following conflicts when applying to 4.19:
>- l3num is not used as an argument for cttimeout_default_fill_info() in 4.19
>- nf_icmp_pernet, nf_tcp_pernet, nf_udp_pernet, nf_dccp_pernet,
>nf_icmpv6_pernet, nf_sctp_pernet, nf_generic_pernet do not exist in
>4.19. Expand the usage of those functions into one-liners.
>
>* Tests run: Chrome OS tryjobs, Syzkaller reproducer

I've queued these 2 patches up. It's very nice to see syzkaller running
on -stable kernels, thanks all!

--
Thanks,
Sasha