From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 4.14 16/42] netfilter: fix use-after-free in __nf_register_net_hook()
Date: Mon, 7 Mar 2022 10:18:50 +0100 [thread overview]
Message-ID: <20220307091636.623427323@linuxfoundation.org> (raw)
In-Reply-To: <20220307091636.146155347@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit 56763f12b0f02706576a088e85ef856deacc98a0 upstream.
We must not dereference @new_hooks after nf_hook_mutex has been released,
because other threads might have freed our allocated hooks already.
BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]
BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438
Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430
CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
hooks_validate net/netfilter/core.c:171 [inline]
__nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438
nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571
nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587
nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218
synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038
check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]
find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573
translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735
do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]
do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639
nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024
rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084
__sys_setsockopt+0x2db/0x610 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f65a1ace7d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130
R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000
</TASK>
The buggy address belongs to the page:
page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
__alloc_pages_node include/linux/gfp.h:572 [inline]
alloc_pages_node include/linux/gfp.h:595 [inline]
kmalloc_large_node+0x62/0x130 mm/slub.c:4438
__kmalloc_node+0x35a/0x4a0 mm/slub.c:4454
kmalloc_node include/linux/slab.h:604 [inline]
kvmalloc_node+0x97/0x100 mm/util.c:580
kvmalloc include/linux/slab.h:731 [inline]
kvzalloc include/linux/slab.h:739 [inline]
allocate_hook_entries_size net/netfilter/core.c:61 [inline]
nf_hook_entries_grow+0x140/0x780 net/netfilter/core.c:128
__nf_register_net_hook+0x144/0x820 net/netfilter/core.c:429
nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571
nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587
nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218
synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038
check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]
find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573
translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735
do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]
do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639
nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
kvfree+0x42/0x50 mm/util.c:613
rcu_do_batch kernel/rcu/tree.c:2527 [inline]
rcu_core+0x7b1/0x1820 kernel/rcu/tree.c:2778
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
Memory state around the buggy address:
ffff88801c1a7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88801c1a7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801c1a8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88801c1a8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88801c1a8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Fixes: 2420b79f8c18 ("netfilter: debug: check for sorted array")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -276,14 +276,15 @@ int nf_register_net_hook(struct net *net
p = nf_entry_dereference(*pp);
new_hooks = nf_hook_entries_grow(p, reg);
- if (!IS_ERR(new_hooks))
+ if (!IS_ERR(new_hooks)) {
+ hooks_validate(new_hooks);
rcu_assign_pointer(*pp, new_hooks);
+ }
mutex_unlock(&nf_hook_mutex);
if (IS_ERR(new_hooks))
return PTR_ERR(new_hooks);
- hooks_validate(new_hooks);
#ifdef CONFIG_NETFILTER_INGRESS
if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
net_inc_ingress_queue();
next prev parent reply other threads:[~2022-03-07 9:23 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-07 9:18 [PATCH 4.14 00/42] 4.14.270-rc1 review Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 01/42] mac80211_hwsim: report NOACK frames in tx_status Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 02/42] mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 03/42] i2c: bcm2835: Avoid clock stretching timeouts Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 04/42] Input: clear BTN_RIGHT/MIDDLE on buttonpads Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 05/42] cifs: fix double free race when mount fails in cifs_get_root() Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 06/42] dmaengine: shdma: Fix runtime PM imbalance on error Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 07/42] i2c: cadence: allow COMPILE_TEST Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 08/42] i2c: qup: " Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 09/42] net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 10/42] usb: gadget: dont release an existing dev->buf Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 11/42] usb: gadget: clear related members when goto fail Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 12/42] ata: pata_hpt37x: fix PCI clock detection Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 13/42] ALSA: intel_hdmi: Fix reference to PCM buffer address Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 14/42] ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 15/42] xfrm: fix MTU regression Greg Kroah-Hartman
2022-03-07 9:18 ` Greg Kroah-Hartman [this message]
2022-03-07 9:18 ` [PATCH 4.14 17/42] xfrm: enforce validity of offload input flags Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 18/42] netfilter: nf_queue: dont assume sk is full socket Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 19/42] netfilter: nf_queue: fix possible use-after-free Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 20/42] batman-adv: Request iflink once in batadv-on-batadv check Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 21/42] batman-adv: Request iflink once in batadv_get_real_netdevice Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 22/42] batman-adv: Dont expect inter-netns unique iflink indices Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 23/42] net: dcb: flush lingering app table entries for unregistered devices Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 24/42] net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error generated by client Greg Kroah-Hartman
2022-03-07 9:18 ` [PATCH 4.14 25/42] net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 26/42] firmware: Fix a reference count leak Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 27/42] firmware: qemu_fw_cfg: fix kobject leak in probe error path Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 28/42] mac80211: fix forwarded mesh frames AC & queue selection Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 29/42] net: stmmac: fix return value of __setup handler Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 30/42] net: sxgbe: " Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 31/42] net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe() Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 32/42] efivars: Respect "block" flag in efivar_entry_set_safe() Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 33/42] can: gs_usb: change active_channelss type from atomic_t to u8 Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 34/42] ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 35/42] soc: fsl: qe: Check of ioremap return value Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 36/42] net: chelsio: cxgb3: check the return value of pci_find_capability() Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 37/42] nl80211: Handle nla_memdup failures in handle_nan_filter Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 38/42] Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power() Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 39/42] Input: elan_i2c - fix regulator enable count imbalance after suspend/resume Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 40/42] HID: add mapping for KEY_ALL_APPLICATIONS Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 41/42] memfd: fix F_SEAL_WRITE after shmem huge page allocated Greg Kroah-Hartman
2022-03-07 9:19 ` [PATCH 4.14 42/42] net: dcb: disable softirqs in dcbnl_flush_dev() Greg Kroah-Hartman
2022-03-08 8:18 ` [PATCH 4.14 00/42] 4.14.270-rc1 review Jon Hunter
2022-03-08 17:17 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220307091636.623427323@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).