Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752152AbdDCILp (ORCPT ); Mon, 3 Apr 2017 04:11:45 -0400 Received: from nuclearcat.com ([144.76.183.226]:42756 "EHLO nuclearcat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751403AbdDCIKs (ORCPT ); Mon, 3 Apr 2017 04:10:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 03 Apr 2017 11:10:44 +0300 From: Denys Fedoryshchenko To: Eric Dumazet Cc: Florian Westphal , Linux Kernel Network Developers , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev-owner@vger.kernel.org Subject: Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8 In-Reply-To: <1491153972.10124.14.camel@edumazet-glaptop3.roam.corp.google.com> References: <6c6e2f7505f969d8c2998efff24063ba@nuclearcat.com> <1491132259.10124.3.camel@edumazet-glaptop3.roam.corp.google.com> <20170402114545.GA31804@breakpoint.cc> <1491134084.10124.6.camel@edumazet-glaptop3.roam.corp.google.com> <1491135593.10124.9.camel@edumazet-glaptop3.roam.corp.google.com> <4442718191e17f0ff91bf1359da6d631@nuclearcat.com> <1491136344.10124.10.camel@edumazet-glaptop3.roam.corp.google.com> <1491153268.10124.12.camel@edumazet-glaptop3.roam.corp.google.com> <1491153972.10124.14.camel@edumazet-glaptop3.roam.corp.google.com> Message-ID: <35bef48734458fd995d9d4080da5db22@nuclearcat.com> User-Agent: Roundcube Webmail/1.2.3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1506 Lines: 44 On 2017-04-02 20:26, Eric Dumazet wrote: > On Sun, 2017-04-02 at 10:14 -0700, Eric Dumazet wrote: > >> Could that be that netfilter does not abort earlier if TCP header is >> completely wrong ? >> > > Yes, I wonder if this patch would be better, unless we replicate the > th->doff sanity check in all netfilter modules dissecting TCP frames. > > diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c > index > ade024c90f4f129a7c384e9e1cbfdb8ffe73065f..8cb4eadd5ba1c20e74bc27ee52a0bc36a5b26725 > 100644 > --- a/net/netfilter/xt_tcpudp.c > +++ b/net/netfilter/xt_tcpudp.c > @@ -103,11 +103,11 @@ static bool tcp_mt(const struct sk_buff *skb, > struct xt_action_param *par) > if (!NF_INVF(tcpinfo, XT_TCP_INV_FLAGS, > (((unsigned char *)th)[13] & tcpinfo->flg_mask) == > tcpinfo->flg_cmp)) > return false; > + if (th->doff * 4 < sizeof(_tcph)) { > + par->hotdrop = true; > + return false; > + } > if (tcpinfo->option) { > - if (th->doff * 4 < sizeof(_tcph)) { > - par->hotdrop = true; > - return false; > - } > if (!tcp_find_option(tcpinfo->option, skb, par->thoff, > th->doff*4 - sizeof(_tcph), > tcpinfo->invflags & XT_TCP_INV_OPTION, I modified patch a little as: if (th->doff * 4 < sizeof(_tcph)) { par->hotdrop = true; WARN_ON_ONCE(!tcpinfo->option); return false; } And it did triggered WARN once at morning, and didn't hit KASAN. I will run for a while more, to see if it is ok, and then if stable, will try to enable SFQ again.