From: Sasha Levin <sashal@kernel.org>
To: Zubin Mithra <zsm@chromium.org>
Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org,
groeck@chromium.org, fruggeri@arista.com, pablo@netfilter.org,
kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net
Subject: Re: [PATCH v4.14.y] netfilter: compat: initialize all fields in xt_init
Date: Fri, 10 May 2019 16:10:57 -0400 [thread overview]
Message-ID: <20190510201057.GA14410@sasha-vm> (raw)
In-Reply-To: <20190510161930.182336-1-zsm@chromium.org>
On Fri, May 10, 2019 at 09:19:30AM -0700, Zubin Mithra wrote:
>From: Francesco Ruggeri <fruggeri@arista.com>
>
>commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f upstream
>
>If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
>time, the following panic can be caused by running
>
>% ebtables -t broute -F BROUTING
>
>from a 32-bit user level on a 64-bit kernel. This patch replaces
>kmalloc_array with kcalloc when allocating xt.
>
>[ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920
>[ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
>[ 474.693838] Oops: 0000 [#1] SMP
>[ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
>[ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
>[ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
>[ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
>[ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
>[ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
>[ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
>[ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
>[ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
>[ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
>[ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
>[ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
>[ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
>[ 474.802052] Call Trace:
>[ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables]
>[ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
>[ 474.815605] ? try_module_get+0x37/0x42
>[ 474.819716] compat_nf_setsockopt+0x4f/0x6d
>[ 474.824172] compat_ip_setsockopt+0x7e/0x8c
>[ 474.828641] compat_raw_setsockopt+0x16/0x3a
>[ 474.833220] compat_sock_common_setsockopt+0x1d/0x24
>[ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1
>[ 474.843343] ? __check_object_size+0x76/0x19a
>[ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b
>[ 474.853276] do_fast_syscall_32+0xaf/0xf6
>[ 474.857548] entry_SYSENTER_compat+0x6b/0x7a
>
>Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
>Acked-by: Florian Westphal <fw@strlen.de>
>Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>Signed-off-by: Zubin Mithra <zsm@chromium.org>
>---
>Notes:
>* Syzkaller triggered a GPF in xt_compat_calc_jump with the following
>stacktrace when fuzzing a 4.14 kernel.
>Call Trace:
> compat_do_replace+0x5e3/0x7d0 net/bridge/netfilter/ebtables.c:2334
> compat_do_ebt_set_ctl+0x264/0x2e2 net/bridge/netfilter/ebtables.c:2383
> compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
> compat_nf_setsockopt+0x90/0x130 net/netfilter/nf_sockopt.c:156
> compat_ip_setsockopt net/ipv4/ip_sockglue.c:1281 [inline]
> compat_ip_setsockopt+0xb5/0xf0 net/ipv4/ip_sockglue.c:1262
> inet_csk_compat_setsockopt+0x9e/0x130 net/ipv4/inet_connection_sock.c:1047
> compat_tcp_setsockopt+0x45/0x80 net/ipv4/tcp.c:2816
> compat_sock_common_setsockopt+0xb9/0x150 net/core/sock.c:3017
> C_SYSC_setsockopt net/compat.c:404 [inline]
> compat_SyS_setsockopt+0x14a/0x390 net/compat.c:387
> do_syscall_32_irqs_on arch/x86/entry/common.c:349 [inline]
> do_fast_syscall_32+0x3b4/0xc90 arch/x86/entry/common.c:412
> entry_SYSENTER_compat+0x84/0x96 arch/x86/entry/entry_64_compat.S:139
>
>* This patch resolves a conflict that arises when applying the original
>upstream commit. The conflict arises as the following upstream commit is
>not present in v4.14.y.
> 6da2ec56059c ("treewide: kmalloc() -> kmalloc_array()")
>
>* This commit is present in linux-4.19.y
>
>* Tests run: Chrome OS tryjobs, Syzkaller reproducer
Queued for 3.18-4.14, thank you!
--
Thanks,
Sasha
prev parent reply other threads:[~2019-05-10 20:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 16:19 [PATCH v4.14.y] netfilter: compat: initialize all fields in xt_init Zubin Mithra
2019-05-10 20:10 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190510201057.GA14410@sasha-vm \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=fruggeri@arista.com \
--cc=fw@strlen.de \
--cc=gregkh@linuxfoundation.org \
--cc=groeck@chromium.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox