Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp262165pxa; Fri, 31 Jul 2020 11:17:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbAVGviooQ+0zMsNDyGYr2/DQ7phEf/ADECqPpa83ae6L/3BZnDo977ZxIrTeA1PnBIP8v X-Received: by 2002:a17:907:20e6:: with SMTP id rh6mr5205872ejb.301.1596219449554; Fri, 31 Jul 2020 11:17:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596219449; cv=none; d=google.com; s=arc-20160816; b=r8HcwK3Mh8BadQmvjMH4v179VJWvr4ahPrAIOGpwxbNfcZHt7tWxQUOaLYdgRvjUPT 9RnKuqdoqDyWK2i2Ru9G2xI5lKSnI3S4d7hLXpPKcSpjZ4Inw+SiF2Qs+MqnGeHYRM0W LbgVGhpYIwTL4EGbhoVzBv2QlSnfwNP3xIyat2EARHgfrgqJwCXqX9LALmTW9dL+sJbh JUyBDj/bRK+xAs0GhN6WBoU6/gYHFLb9g1JZQflezZRmR0A+257aLUTgaCtpc6/IqlT6 eNFatLLv4AFnENtyVEhsaKEyg/MTMd1QgxMyqzYnbxVw6pbaL2y3Dp4b3rVjLBTMctmD ajwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=TDjonBmuUQvyaWYJBgC/o+3/IEmbAX8AfV7I+TtewFc=; b=JkbBVkFEo6cz0UD/Ypot3C3vVNNd4Ya08bFPZh0QyuYzDNoUIz3ZjpsG6UJl/9e5t3 ZwLhCCZ9uBBxmIf3JsQZphNkH+y2IbNnGw2o5j1JplZY11MwoIP/D/otQ1NQR05SeRw8 08UYDXCnnusbi8WOZqcrU4WajccnnM1h+nCyiF/2OuoILvTBb72IAcrupGk5mhhGbtxp Gk8jWdPixs6LVM/MCFBTuZGle7qakj36PX/k8kgIgPPgcYyPW3jsx68JM+L7YZ0PWOyW JHwTFXXXWFbSO09yZQW9rVmyHeiQ/fOqUB4tMYwoDc6ZjE8RQAGDK+hP+fo9zepuxFsU Rd+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=E4PyFhb0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cy23si184986edb.311.2020.07.31.11.17.07; Fri, 31 Jul 2020 11:17:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=E4PyFhb0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387722AbgGaSQj (ORCPT + 99 others); Fri, 31 Jul 2020 14:16:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387651AbgGaSQi (ORCPT ); Fri, 31 Jul 2020 14:16:38 -0400 Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B6B3C06174A for ; Fri, 31 Jul 2020 11:16:38 -0700 (PDT) Received: by mail-pl1-x642.google.com with SMTP id k13so9995830plk.13 for ; Fri, 31 Jul 2020 11:16:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=TDjonBmuUQvyaWYJBgC/o+3/IEmbAX8AfV7I+TtewFc=; b=E4PyFhb0Ar5YqNdxhxX2a8wKFZEu/2ST7bv4QIUoGaSgkHPvdACktcHN8BvF+SCGL8 gZJWGBtbJ1MutPmzg/MeNlYSrhO057Pj/J6ehg7IaGuZ0a9DQrTRDkr2F2AUHxyGQHaX o5ShFgfIeLuy7MxsZOrcqX/TEMhQthtAB0JiHr2774RA3qNIALhx8H1uHTP/NC31E9OO 1sRdKk8GeU8qWga0AdkgKJ7aVu9Z38Gzq+ONP+rbl/VONE3s6VkbkgrgAE/99YuGzbma qkC31644KiV7Oo89U+xeFBWKkaLzShUKTYXxiZ3dr1g1cvQdGWka9CgJ2SY/P/OpyITQ orEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=TDjonBmuUQvyaWYJBgC/o+3/IEmbAX8AfV7I+TtewFc=; b=EBbGBbQMwSMqkPvNFAueNRMo4/KDBQgUhxEqPlF842cXTu3fdaM/J7bc6CLnLq6kcC vHNB5r24YUYSnDNJV+ROK3T46m6hizOJ9F4Zs+OGnRjuVN3y41i1+/Yyc9x8kPjot2po NlaI7qgkPB6PMxWtYs1BUaGfqXVJoFnnuwY4T2VwAi6rUHpfn0nH78A5sn2+n11C26ai RyRt0JBTxLZ9WvyJAv4gz4BePoNwGQftOFISwU80P/2sAb5wQ9JlnmtM/L5ZKBJSLH4H IV+gnyxgzdV4KIPA4ByOxQgn2dG5tjbiemBP7LatoVoKWbVsfCSRoS7NXEIxMpxlwnhv NHwg== X-Gm-Message-State: AOAM5316qTwQ5pd6I9HmYdfBIaE3sIMTnIJKzzqfT8yiiihhsd36MYS+ ORmxge5+25xa++oohzM2G5/iFA== X-Received: by 2002:a17:90b:514:: with SMTP id r20mr5377570pjz.82.1596219397381; Fri, 31 Jul 2020 11:16:37 -0700 (PDT) Received: from google.com (56.4.82.34.bc.googleusercontent.com. [34.82.4.56]) by smtp.gmail.com with ESMTPSA id a24sm10542844pfg.113.2020.07.31.11.16.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Jul 2020 11:16:36 -0700 (PDT) Date: Fri, 31 Jul 2020 18:16:33 +0000 From: William Mcvicker To: Pablo Neira Ayuso Cc: security@kernel.org, Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 1/1] netfilter: nat: add range checks for access to nf_nat_l[34]protos[] Message-ID: <20200731181633.GA1209076@google.com> References: <20200727175720.4022402-1-willmcvicker@google.com> <20200727175720.4022402-2-willmcvicker@google.com> <20200729214607.GA30831@salvia> <20200731002611.GA1035680@google.com> <20200731175115.GA16982@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200731175115.GA16982@salvia> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Pablo, > Note that this code does not exist in the tree anymore. I'm not sure > if this problem still exists upstream, this patch does not apply to > nf.git. This fix should only go for -stable maintainers. Right, the vulnerability has been fixed by the refactor commit fe2d0020994cd ("netfilter: nat: remove l4proto->in_range"), but this patch is a part of a full re-work of the code and doesn't backport very cleanly to the LTS branches. So this fix is only applicable to the 4.19, 4.14, 4.9, and 4.4 LTS branches. I missed the -stable email, but will re-add it to this thread with the re-worked patch. Thanks, Will On 07/31/2020, Pablo Neira Ayuso wrote: > Hi William, > > On Fri, Jul 31, 2020 at 12:26:11AM +0000, William Mcvicker wrote: > > Hi Pablo, > > > > Yes, I believe this oops is only triggered by userspace when the user > > specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work > > the patch to check for this in ctnetlink_create_conntrack(). > > Great. > > Note that this code does not exist in the tree anymore. I'm not sure > if this problem still exists upstream, this patch does not apply to > nf.git. This fix should only go for -stable maintainers. > > > > BTW, do you have a Fixes: tag for this? This will be useful for > > > -stable maintainer to pick up this fix. > > > > Regarding the Fixes: tag, I don't have one offhand since this bug was reported > > to me, but I can search through the code history to find the commit that > > exposed this vulnerability. > > That would be great. > > Thank you.