[netfilter][bridge...?][BUG report] vmalloc-out-of-bounds Read in __ebt_unregister_table

Homin Rhee <hominlab@xxxxxxxxx> · Thu, 23 Feb 2023 15:41:18 +0900

HelloI'm iCAROS7 and my syzkaller hit vmalloc-OOB in net/bridge/netfilter/ebtables.c:1168

I not sure about that and related bridge. But report for just-in-case.
I attached C reproducer and syzkaller report.

Thank you for your deication.

From iCAROS7.

<Information of my syzkaller system>
CPU: Intel i7-12700K
OS: Kubuntu 22.04.1 LTS (amd64)
Kernel: 5.18.19-051819-generic
Syzkaller
build: bcdf85f8
Target kernel: a5c95ca1
Syzkaller hit 'KASAN: vmalloc-out-of-bounds Read in __ebt_unregister_table' bug.

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xcc5/0xce0 net/bridge/netfilter/ebtables.c:1168
Read of size 4 at addr ffffc90003169000 by task kworker/u4:0/9

CPU: 1 PID: 9 Comm: kworker/u4:0 Not tainted 6.2.0-01417-gc9c3395d5e3d #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:306 [inline]
 print_report+0x156/0x459 mm/kasan/report.c:417
 kasan_report+0xc0/0xf0 mm/kasan/report.c:517
 __ebt_unregister_table+0xcc5/0xce0 net/bridge/netfilter/ebtables.c:1168
 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
 cleanup_net+0x4ee/0x9d0 net/core/net_namespace.c:613
 process_one_work+0x9ba/0x1720 kernel/workqueue.c:2289
 worker_thread+0x669/0x1090 kernel/workqueue.c:2436
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>

Memory state around the buggy address:
 ffffc90003168f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90003168f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90003169000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90003169080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90003169100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

-- 
Homin Rhee (이호민,李昊珉)

OpenPGP fingerprint: 1D94 A708 6346 FBF1 1DD1  6E1F 4957 8AFE D221 9C6A
You can see the more information about my OpenPGP at https://minnote.net/gpg
Attachment:
repro.cprog

Description: Binary data
Attachment:
log3

Description: Binary data