Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp9216662rwd;
        Wed, 21 Jun 2023 04:47:30 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ45B4UNmj+z4EZzilVxx4iTYEsDrs9OLK2WBW1cR4M8THeTP6GSG7Fflko4dMQcZJ/qNMnP
X-Received: by 2002:a92:d4c8:0:b0:33f:d628:5627 with SMTP id o8-20020a92d4c8000000b0033fd6285627mr13112158ilm.0.1687348050560;
        Wed, 21 Jun 2023 04:47:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687348050; cv=none;
        d=google.com; s=arc-20160816;
        b=BJ+G3CUAMasVCSttWSZSnAf/FF+RE12ekFugFsl3XX0GaBVGir8r9bflHpOhiuULF2
         8C0EPIQUoimUrSknpA4xr1YBBxQBj4+aroUDWVVCcDJzbJCxxvkOytVOQkHoumKh+lLh
         ixYvDTHIWePsliZOvjocJaZ+lEZVu//ElhuvzFpYdCG05ln37nHZJ2qnNcN9slRM+XFv
         sXis3acdCX1u66jczqOu65v50vKws7H1OiOmJeAw7I5HZuXXu/K68LgHiqOJ6TWJdjuy
         ukbiwtwcja8IkiovVA76lSycXHJm1guyZcL0D8anXt/+E3+gV/+X9oB5WytWtgzRf8Hz
         HHKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=oJSBt/8mIn8aVsQgwtBDRjgmQToN9meTTNOl+uJ0BwU=;
        b=TNG76dgurdaDXJvp4NTbd7/xBpWq/YBWHY3DnfFQJRePrVb2ZYhchhZVhaW9lHPJWC
         ZN+WARG8T9X211r/XCRWKzq5xgj86CW2z8X/G6E91gDZActdyRuKkPeMmo+sshWkMvgT
         9YNjBWkZzlmF/HGXm/C2R6HfLdadeAhf4ULMVYUizzNHQSMaR0C5eXSxR27TuqNWijGE
         L9tCbo1GtGkT5Ec9V4M9AslxtnOwv3qgEcuKIeYHqdfZ+dhCY5nX7+0LiTPflJMBetOh
         AHLDV4D5LERlUaPQvEyDvI6PllstBfYCesJnccJ0MEjdpRt1fm+MSlV5dHiHvVP4Js4p
         fnhQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id v12-20020a17090a634c00b00256cba1cadesi3922749pjs.50.2023.06.21.04.47.15;
        Wed, 21 Jun 2023 04:47:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230296AbjFULPd (ORCPT <rfc822;airlied@gmail.com> + 99 others);
        Wed, 21 Jun 2023 07:15:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42548 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231710AbjFULPH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Jun 2023 07:15:07 -0400
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C06EC186;
        Wed, 21 Jun 2023 04:15:06 -0700 (PDT)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
        (envelope-from <fw@strlen.de>)
        id 1qBvna-0006ir-Ck; Wed, 21 Jun 2023 13:14:54 +0200
Date:   Wed, 21 Jun 2023 13:14:54 +0200
From:   Florian Westphal <fw@strlen.de>
To:     Florent Revest <revest@chromium.org>
Cc:     Pablo Neira Ayuso <pablo@netfilter.org>,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        bpf@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de,
        davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, lirongqing@baidu.com, wangli39@baidu.com,
        zhangyu31@baidu.com, daniel@iogearbox.net, ast@kernel.org,
        kpsingh@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH nf] netfilter: conntrack: Avoid nf_ct_helper_hash uses
 after free
Message-ID: <20230621111454.GB24035@breakpoint.cc>
References: <20230615152918.3484699-1-revest@chromium.org>
 <ZJFIy+oJS+vTGJer@calendula>
 <CABRcYmJjv-JoadtzZwU5A+SZwbmbgnzWb27UNZ-UC+9r+JnVxg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABRcYmJjv-JoadtzZwU5A+SZwbmbgnzWb27UNZ-UC+9r+JnVxg@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Florent Revest <revest@chromium.org> wrote:
> On Tue, Jun 20, 2023 at 8:35 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Thu, Jun 15, 2023 at 05:29:18PM +0200, Florent Revest wrote:
> > > If register_nf_conntrack_bpf() fails (for example, if the .BTF section
> > > contains an invalid entry), nf_conntrack_init_start() calls
> > > nf_conntrack_helper_fini() as part of its cleanup path and
> > > nf_ct_helper_hash gets freed.
> > >
> > > Further netfilter modules like netfilter_conntrack_ftp don't check
> > > whether nf_conntrack initialized correctly and call
> > > nf_conntrack_helpers_register() which accesses the freed
> > > nf_ct_helper_hash and causes a uaf.
> > >
> > > This patch guards nf_conntrack_helper_register() from accessing
> > > freed/uninitialized nf_ct_helper_hash maps and fixes a boot-time
> > > use-after-free.
> >
> > How could this possibly happen?
> 
> Here is one way to reproduce this bug:
> 
>   # Use nf/main
>   git clone git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
>   cd nf
> 
>   # Start from a minimal config
>   make LLVM=1 LLVM_IAS=0 defconfig
> 
>   # Enable KASAN, BTF and nf_conntrack_ftp
>   scripts/config -e KASAN -e BPF_SYSCALL -e DEBUG_INFO -e
> DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT -e DEBUG_INFO_BTF -e
> NF_CONNTRACK_FTP
>   make LLVM=1 LLVM_IAS=0 olddefconfig
> 
>   # Build without the LLVM integrated assembler
>   make LLVM=1 LLVM_IAS=0 -j `nproc`
> 
> (Note that the use of LLVM_IAS=0, KASAN and BTF is just to trigger a
> bug in BTF that will be fixed by
> https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=9724160b3942b0a967b91a59f81da5593f28b8ba
> Independently of that specific BTF bug, it shows how an error in
> nf_conntrack_bpf can cause a boot-time uaf in netfilter)
> 
> Then, booting gives me:
> 
> [    4.624666] BPF: [13893] FUNC asan.module_ctor
> [    4.625611] BPF: type_id=1
> [    4.626176] BPF:
> [    4.626601] BPF: Invalid name
> [    4.627208] BPF:
> [    4.627723] ==================================================================
> [    4.628610] BUG: KASAN: slab-use-after-free in
> nf_conntrack_helper_register+0x129/0x2f0
> [    4.628610] Read of size 8 at addr ffff888102d24000 by task swapper/0/1
> [    4.628610]

Isn't that better than limping along?

in this case an initcall is failing and I think panic is preferrable
to a kernel that behaves like NF_CONNTRACK_FTP=n.

AFAICS this problem is specific to NF_CONNTRACK_FTP=y
(or any other helper module, for that matter).

If you disagree please resend with a commit message that
makes it clear that this is only relevant for the 'builtin' case.