Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp2332454ybg; Thu, 30 Jul 2020 17:29:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5g7ICmNVpQNKoDVGFSbePYpWnzn56Ob9xHnJjQy6TF8nnFzHEi+gxtAPhjWkefoKPcL1q X-Received: by 2002:a17:906:a1c7:: with SMTP id bx7mr1635116ejb.388.1596155372110; Thu, 30 Jul 2020 17:29:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596155372; cv=none; d=google.com; s=arc-20160816; b=mEzrSCMRcRsisLI9J0QIhyJXxWkfLk1dZuOeO+zgNUonG5IlXtDGiMbHv0vNcivFm4 2qpie/MlCgtxoZMrWVjA/31BbTXAurjwOlmc+tVHTuEM5uAoymO5WLyyiSSOkGvkwapG otH9A9NrjrBbXDJAM6M/8lNA2eArUrlGP+6HAbzge1TSdjEEUqfgb9yeIQZduIEo3k9v g7x6Sb8+VINQV3dtIcY4xKm0yUqvRiDxgkBMtkSKhJmJbHjRrn36z7+YMs7c7OpgAWRi SHmhQTsZsM0mrj1XPV+PI2On3a81ib81ccCC9U9/vkAJhMh4ljSKWFavMGbO/0Db25qF 8dZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Z3Lm1sGkWQwPe3NkE6iARE36RcrQ0xDQdl/rL+tDjI0=; b=YXqTNnAYiVUAbJTLir3JyXPZpTQcIr71xWHDNZBJtoXanEz2N93r3PdB39j4CHjDuK MVLZUaeT/3WTGXL1QnptYFX6iqVuE0skWI64lbBKlZ5FUscS4VxlH3m9kxN54/gOg4RA 0bMkDUw7f42jitiNxnkabbnsPaPBPlizUQIDK/vh/Ul6ogB6IGe8p5HOPSRxcmymebSW odmTrD6LhexMPjf4tG++UwFQ1L0lMExlvHHmRsx+qyzspbk/3X3YRxNpIFWHggJbnoVH pu9T8zdjPbVALckUpVrKbOEzhrEN1f/DwLpVCBF16zHVHqr53j2mF3UYqIYG3DcoiFZS ARhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sOOQDS6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n6si4147638ejz.524.2020.07.30.17.29.04; Thu, 30 Jul 2020 17:29:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sOOQDS6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730936AbgGaA0R (ORCPT + 99 others); Thu, 30 Jul 2020 20:26:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34256 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730915AbgGaA0Q (ORCPT ); Thu, 30 Jul 2020 20:26:16 -0400 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A96BC061575 for ; Thu, 30 Jul 2020 17:26:16 -0700 (PDT) Received: by mail-pl1-x643.google.com with SMTP id p1so15764831pls.4 for ; Thu, 30 Jul 2020 17:26:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Z3Lm1sGkWQwPe3NkE6iARE36RcrQ0xDQdl/rL+tDjI0=; b=sOOQDS6l29PwJncVTdlZkzs7X7QSPkZPgnQAmSIwmUOgSvyL2/q0N7p90FYdSW2s8j 7CUVCSO8S+NAKPz3nxM6HhwyGHv+sbArXQoh5HbHlu8QYOGJbIQnOYENg9nXxXSjqXmE b/NXnhhTJcnAncLg5glbJ16Gmu7U9R7QCPUgEmu8abMsBqnftD0pBFG9svq8rL0X1x/+ 8QDgT9u9tf81CyG+A5/tzVxH58yQi4pFayRE1lwYeGvyydlZNXXPSUdjYJIU9bOJ2Y5Q Duxb7LFSRiGHX9usLWXOtYqk0aAF6bIjq1IUM4JvYDAPcBT2UjU0aKEK9VPxeKVm1Hx4 PkFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Z3Lm1sGkWQwPe3NkE6iARE36RcrQ0xDQdl/rL+tDjI0=; b=fyVcMM0baUhXTI7jTfijMFB5AQpre3KZ/WzapWtis0McoTDEZmeVCUgcUBWYZGoNG5 D0aqbqQnJbYjVwKx+nQ+mVfKFnRlxKK+J1SSLJsTTKsepVJHDa28VSBOZPPWlpcfRpyg s22XXJFMIkYfqTDNKu44zt/GSsl8WMZmyOVcdNLzWKpxESg+Q89LnabCmtAPQOWpKscN u9TVAgxFjdm8JDyp/bdyCYVDNA+LMfVIv7osSusJsZBZR0Oc44fXw4ota2hLvea7XWqR uQNLTY4lYtqHfH5c9B1zyqpXXT5qVgtwLuUQo8Mi1atYdl2iDzNp+dKO8qCGMp17I0x4 cpdA== X-Gm-Message-State: AOAM531TdPJbDnDIelLjtD15OYIn+9m42Y7NQqjXCH4BirVv9Hq0FPiL c+h5IVyCl5luIath8+1s3IR1yA== X-Received: by 2002:a63:8c5d:: with SMTP id q29mr1238398pgn.249.1596155175408; Thu, 30 Jul 2020 17:26:15 -0700 (PDT) Received: from google.com (56.4.82.34.bc.googleusercontent.com. [34.82.4.56]) by smtp.gmail.com with ESMTPSA id p19sm7867698pgj.74.2020.07.30.17.26.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jul 2020 17:26:14 -0700 (PDT) Date: Fri, 31 Jul 2020 00:26:11 +0000 From: William Mcvicker To: Pablo Neira Ayuso Cc: security@kernel.org, Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 1/1] netfilter: nat: add range checks for access to nf_nat_l[34]protos[] Message-ID: <20200731002611.GA1035680@google.com> References: <20200727175720.4022402-1-willmcvicker@google.com> <20200727175720.4022402-2-willmcvicker@google.com> <20200729214607.GA30831@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200729214607.GA30831@salvia> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Pablo, Yes, I believe this oops is only triggered by userspace when the user specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work the patch to check for this in ctnetlink_create_conntrack(). > BTW, do you have a Fixes: tag for this? This will be useful for > -stable maintainer to pick up this fix. Regarding the Fixes: tag, I don't have one offhand since this bug was reported to me, but I can search through the code history to find the commit that exposed this vulnerability. Thanks, Will On 07/29/2020, Pablo Neira Ayuso wrote: > Hi Will, > > On Mon, Jul 27, 2020 at 05:57:20PM +0000, Will McVicker wrote: > > The indexes to the nf_nat_l[34]protos arrays come from userspace. So we > > need to make sure that before indexing the arrays, we verify the index > > is within the array bounds in order to prevent an OOB memory access. > > Here is an example kernel panic on 4.14.180 when userspace passes in an > > index greater than NFPROTO_NUMPROTO. > > > > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP > > Modules linked in:... > > Process poc (pid: 5614, stack limit = 0x00000000a3933121) > > CPU: 4 PID: 5614 Comm: poc Tainted: G S W O 4.14.180-g051355490483 > > Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM > > task: 000000002a3dfffe task.stack: 00000000a3933121 > > pc : __cfi_check_fail+0x1c/0x24 > > lr : __cfi_check_fail+0x1c/0x24 > > ... > > Call trace: > > __cfi_check_fail+0x1c/0x24 > > name_to_dev_t+0x0/0x468 > > nfnetlink_parse_nat_setup+0x234/0x258 > > If this oops is only triggerable from userspace, I think a sanity > check in nfnetlink_parse_nat_setup should suffice to reject > unsupported layer 3 and layer 4 protocols. > > I mean, in this patch I see more chunks in the packet path, such as > nf_nat_l3proto_ipv4 that should never happen. I would just fix the > userspace ctnetlink path. > > BTW, do you have a Fixes: tag for this? This will be useful for > -stable maintainer to pick up this fix. > > Thanks.