Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp245182pxa; Fri, 31 Jul 2020 10:52:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyl4ScPvBSyGf5OFFCu4lfFh93GdMO6UJ+MzwfE+S4OWiKbtHVTgF8pzTWRX3oJR+zAAiie X-Received: by 2002:a50:baea:: with SMTP id x97mr4953302ede.337.1596217959849; Fri, 31 Jul 2020 10:52:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596217959; cv=none; d=google.com; s=arc-20160816; b=UDYSV8PFfspmv9YXYiVkQ4JC196RS9VCqqiS5bWOEVpvZ+HzCBkY1JOuqgoKsjm7nD tqJtI66/4K5VJAH5MGZlT1L9mGdyaXH+NX+V4G2zfngqxuMELBEvYs4jE7gifGo7Imlq u2O6/CS6t9LHvzwW0JtJypIruFapdn+kUaBwJ6qFnsu5H3Y5bznNbxRv59ScGZ2+z8iz lhFzyTeMxKEHF2n5MlDPJmskub+uOnhFl/71d6jBKqEXbTA0PU9n3Vh0lGXEPnEz+6R+ xetWnWbB21etb2i0Mko7BDsMEkLSEt8xZ+6lMmTgApzaUgcOPW9tiQX2IFdvpNMJ3xBc yU/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=kXqD4rzUmppguLytpewLOVmk4x8i5n91F9ypfxvcm1c=; b=pPeBl3FkBpaZsMRi8xSaxRoerx+CV3xa/6E67/OzxODHcaB8H6Z9p1I3/ShQjVNrN4 CsD4je8mIlQmzqDkMaTdZWZorVzmysAENfun6H0rjvvCym7O5an02C663TqFguWJPi+G SME5SnEDQuC4wbabAb1kQNLTjqBPt1KVXq25VjPn05C1G/ut59/r+8uAHLG87zCjWwqU nIB5es9BOj6h3OA9+LvcjkyqTguq/k93Pd+pkWw1M/F29KrK30/8i2skMKlSbAWrk8ru upaChMNP0nfm1JK3aZFhu9+FCeUxXb6phpsMLl7VL/JN4DgdCGo6I9x455hHVDaK73Q+ O+dg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id by29si5546431edb.452.2020.07.31.10.52.16; Fri, 31 Jul 2020 10:52:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387650AbgGaRvU (ORCPT + 99 others); Fri, 31 Jul 2020 13:51:20 -0400 Received: from correo.us.es ([193.147.175.20]:43744 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387561AbgGaRvT (ORCPT ); Fri, 31 Jul 2020 13:51:19 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id EC61118FCF7 for ; Fri, 31 Jul 2020 19:51:17 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id DDC47DA85E for ; Fri, 31 Jul 2020 19:51:17 +0200 (CEST) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id D1DF5DA73D; Fri, 31 Jul 2020 19:51:17 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 858A4DA852; Fri, 31 Jul 2020 19:51:15 +0200 (CEST) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Fri, 31 Jul 2020 19:51:15 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from us.es (unknown [90.77.255.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: 1984lsi) by entrada.int (Postfix) with ESMTPSA id 4CAE64265A32; Fri, 31 Jul 2020 19:51:15 +0200 (CEST) Date: Fri, 31 Jul 2020 19:51:15 +0200 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: William Mcvicker Cc: security@kernel.org, Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 1/1] netfilter: nat: add range checks for access to nf_nat_l[34]protos[] Message-ID: <20200731175115.GA16982@salvia> References: <20200727175720.4022402-1-willmcvicker@google.com> <20200727175720.4022402-2-willmcvicker@google.com> <20200729214607.GA30831@salvia> <20200731002611.GA1035680@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200731002611.GA1035680@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi William, On Fri, Jul 31, 2020 at 12:26:11AM +0000, William Mcvicker wrote: > Hi Pablo, > > Yes, I believe this oops is only triggered by userspace when the user > specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work > the patch to check for this in ctnetlink_create_conntrack(). Great. Note that this code does not exist in the tree anymore. I'm not sure if this problem still exists upstream, this patch does not apply to nf.git. This fix should only go for -stable maintainers. > > BTW, do you have a Fixes: tag for this? This will be useful for > > -stable maintainer to pick up this fix. > > Regarding the Fixes: tag, I don't have one offhand since this bug was reported > to me, but I can search through the code history to find the commit that > exposed this vulnerability. That would be great. Thank you.