[PATCH nf 0/5] netfilter: nf_tables: add validate non-basechain ruleset routine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Non-basechain rulesets can't be validated.
because only basechain has information that are type and hooknum.
So, common validation functions(nft_chain_validate_hooks,
nft_chain_validate_dependency) skip non-basechain rulesets.
So that, null-ptr exception can occurred.

Steps to reproduce :
   %nft add table ip filter
   %nft add chain ip filter input { type filter hook input priority 4\; }
   %nft add chain ip filter ap
   %nft add rule ip filter input jump ap
   %nft add rule ip filter ap masquerade
OR
   %iptables-compat -t nat -N ap
   %iptables-compat -t nat -I PREROUTING -j ap
   %iptables-compat -t nat -I ap -j MASQUERADE

Then, we can see panic message.

[  411.234663] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  411.243134] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  411.244054] Modules linked in: nf_conntrack_ipv4 nf_defrag_ipv4 nft_masq_ipv4 nf_nat_masquerade_ipv4 nft_masq nf_nat nf_conntrack nf_tables nfnetlink ip_tables x_tables
[  411.244054] CPU: 1 PID: 2766 Comm: bash Tainted: G        W         4.16.0+ #175
[  411.244054] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
[  411.287200] RIP: 0010:inet_select_addr+0x37/0x620
[  411.291979] RSP: 0018:ffff88011b807368 EFLAGS: 00010292
[  411.295613] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  411.303662] RDX: 00000000000000a9 RSI: 000000000104a8c0 RDI: 0000000000000548
[  411.311707] RBP: ffff88011b807398 R08: 0000000000000000 R09: 0000000000000000
[  411.319730] R10: ffff88011b9e2fb3 R11: 0000000000000001 R12: 000000000104a8c0
[  411.327812] R13: 0000000000000000 R14: 000000000104a8c0 R15: 0000000000000000
[  411.335781] FS:  00007f600c733b40(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
[  411.347585] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  411.351777] CR2: 0000000000eb5008 CR3: 000000010b292000 CR4: 00000000001006e0
[  411.359785] Call Trace:
[  411.363785]  <IRQ>
[  411.363785]  nf_nat_masquerade_ipv4+0x21d/0x4e0 [nf_nat_masquerade_ipv4]
[  411.371780]  ? masq_inet_event+0x140/0x140 [nf_nat_masquerade_ipv4]
[  411.379772]  ? kmsg_dump_rewind_nolock+0xd9/0xd9
[  411.383796]  ? debug_check_no_locks_freed+0x280/0x280
[  411.391776]  ? sched_clock_cpu+0x144/0x180
[  411.395782]  nft_masq_ipv4_eval+0x26a/0x36a [nft_masq_ipv4]
[  411.403580]  ? nft_masq_ipv4_destroy+0x40/0x40 [nft_masq_ipv4]
[  411.407792]  nft_do_chain+0x1f4/0xd70 [nf_tables]
[  411.411775]  ? __nft_trace_packet+0x4b0/0x4b0 [nf_tables]
[  411.419781]  ? tcp_packet+0x11e0/0x5230 [nf_conntrack]
[  411.423776]  ? sched_clock_local+0xe2/0x150
[  411.431782]  ? __lock_acquire+0xcea/0x4ed0
[  411.435773]  ? debug_check_no_locks_freed+0x280/0x280
[  411.439779]  ? inet_ehash_locks_alloc+0x1c0/0x1c0
[  411.447789]  ? nf_conntrack_in+0x449/0xdd0 [nf_conntrack]
[  411.451776]  nft_do_chain_ipv4+0x16f/0x1e0 [nf_tables]
[  411.459775]  ? nft_do_chain_arp+0xa0/0xa0 [nf_tables]
[  411.463777]  ? lock_acquire+0x193/0x380
[  411.467785]  ? lock_acquire+0x193/0x380
[  411.471788]  ? ip_local_deliver+0x1c6/0x3c0
[  411.475772]  nf_hook_slow+0xae/0x170
[  411.479783]  ip_local_deliver+0x293/0x3c0
[  411.483776]  ? ip_call_ra_chain+0x490/0x490
[  411.491792]  ? ip_rcv_finish+0x1910/0x1910
[  411.495778]  ? nf_hook_slow+0xae/0x170
[  411.499774]  ip_rcv+0x82a/0x1240
[  411.503783]  ? ip_local_deliver+0x3c0/0x3c0
[  411.507770]  ? inet_del_offload+0x50/0x50
[  411.511788]  ? ip_local_deliver+0x3c0/0x3c0
[  411.515789]  __netif_receive_skb_core+0x1639/0x2460
[  411.523771]  ? napi_busy_loop+0x6d0/0x6d0
[  411.527781]  ? lock_acquire+0x193/0x380
[  411.531770]  ? lock_acquire+0x193/0x380
[  411.535786]  ? netif_receive_skb_internal+0x82/0x4c0
[  411.539772]  netif_receive_skb_internal+0x2c9/0x4c0
[  411.547771]  ? dev_cpu_dead+0x7f0/0x7f0
[  411.551779]  ? dev_gro_receive+0xb5c/0x1f10
[  411.555780]  ? rcu_read_lock_sched_held+0xa3/0x130
[  411.560330]  napi_gro_receive+0x275/0x360
[  411.563776]  igb_poll+0x1628/0x44b0
[  411.567775]  ? mark_held_locks+0xc7/0x110
[  411.575781]  ? net_rx_action+0x1d5/0xc60
[  411.579780]  net_rx_action+0x5f5/0xc60
[  411.583772]  ? napi_complete_done+0x340/0x340
[  411.587777]  ? lock_acquire+0x193/0x380
[  411.591772]  __do_softirq+0x22b/0x92e
[  411.595771]  irq_exit+0x198/0x1d0
[  411.599789]  do_IRQ+0x7f/0x190
[  411.603772]  common_interrupt+0xf/0xf
[  411.607772]  </IRQ>
[  411.611580] RIP: 0010:_raw_spin_unlock_irqrestore+0x34/0x50
[  411.615771] RSP: 0018:ffff88010c667a60 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd2
[  411.623785] RAX: 0000000000000007 RBX: 0000000000000246 RCX: 1ffff10020cd7108
[  411.631772] RDX: 0000000000000000 RSI: ffff8801066b8848 RDI: ffff8801066b880c
[  411.639771] RBP: ffff88011267cf00 R08: ffffed00224cf9e1 R09: 0000000000000000
[  411.647775] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88010d450640
[  411.655769] R13: 0000000000000015 R14: ffff88010d450640 R15: ffff88011267d030
[  411.663780]  __tty_check_change.part.1+0x103/0x360
[  411.671776]  n_tty_read+0x16e/0x14b0
[  411.675768]  ? __ldsem_down_read_nested+0xea/0x5d0
[  411.679774]  ? copy_from_read_buf+0x400/0x400
[  411.683777]  ? do_wait_intr_irq+0x270/0x270
[  411.687780]  tty_read+0x14a/0x220
[  411.691765]  __vfs_read+0xd2/0x580
[  411.695771]  ? SyS_copy_file_range+0x340/0x340
[  411.703763]  ? lock_acquire+0x380/0x380
[  411.707772]  ? lock_acquire+0x193/0x380
[  411.711762]  ? finish_task_switch+0xf4/0x560
[  411.715760]  ? _raw_spin_unlock_irq+0x29/0x40
[  411.719771]  ? _raw_spin_unlock_irq+0x29/0x40
[  411.723761]  ? finish_task_switch+0x122/0x560
[  411.731765]  ? finish_task_switch+0xf4/0x560
[  411.735764]  ? __schedule+0x582/0x19a0
[  411.739760]  ? lock_acquire+0x380/0x380
[  411.743930]  vfs_read+0x105/0x300
[  411.747763]  ? ksys_read+0x160/0x160
[  411.751772]  ksys_read+0xae/0x160
[  411.755763]  ? kernel_write+0x130/0x130
[  411.759761]  ? do_syscall_64+0x43/0x5b0
[  411.763762]  ? ksys_read+0x160/0x160
[  411.767769]  do_syscall_64+0x18f/0x5b0
[  411.771766]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  411.779574] RIP: 0033:0x7f600be28870
[  411.783569] RSP: 002b:00007ffe1e4f5aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  411.791773] RAX: ffffffffffffffda RBX: 00007f600c0f18c0 RCX: 00007f600be28870
[  411.799763] RDX: 0000000000000001 RSI: 00007ffe1e4f5ab7 RDI: 0000000000000000
[  411.807765] RBP: 00007ffe1e4f5ab7 R08: 00007f600c0f3750 R09: 00007f600c733b40
[  411.815779] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  411.823763] R13: 00000000004be7a0 R14: ffffffffffffffff R15: 0000000000000001
[  411.831763] Code: 00 fc ff df 48 89 e5 41 57 41 56 41 55 41 54 41 89 d5 53 48 89 fb 48 81 c7 48 05 00 00 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 08 <80> 3c 02 00 0f 85 82 05 00 00 4c 8b a3
[  411.851766] RIP: inet_select_addr+0x37/0x620 RSP: ffff88011b807368
[  411.860979] ---[ end trace bf2aa3e38f77f7bf ]---
[  411.866242] Kernel panic - not syncing: Fatal exception in interrupt
[  411.867204] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)


In order to solve this,
patchset constructs chain information for all chains.
Then it validates all of rule using chain information.
If it is failed, abort callback is called.

Before this patch, routine of adding rule are like below.
   1. select_ops()
   2. init()
   3. validate()
   4. call_batch()
   5. commit()/abort()

After this patch, routine are like below.
   1. select_ops()
   2. init()
   3. call_batch()
   4. validate()
   5. commit()/abort()


Taehee Yoo (5):
  netfilter: nf_tables: use nft_ctx instead of nft_chain
  netfilter: nf_tables: remove nft_af_info.
  netfilter: nf_tables: add type and hook validate routine
  netfilter: nf_tables: use chain info to validate type and hook.
  netfilter: nf_tables: add call validate callback.

 include/linux/netfilter/nfnetlink.h      |   1 +
 include/net/netfilter/nf_tables.h        |   5 +-
 include/net/netns/nftables.h             |   3 +-
 net/bridge/netfilter/nft_reject_bridge.c |   4 +-
 net/netfilter/nf_tables_api.c            | 317 +++++++++++++++++++++++++++----
 net/netfilter/nfnetlink.c                |  13 ++
 net/netfilter/nft_compat.c               |  73 +++----
 net/netfilter/nft_fib.c                  |   2 +-
 net/netfilter/nft_flow_offload.c         |   2 +-
 net/netfilter/nft_masq.c                 |   4 +-
 net/netfilter/nft_meta.c                 |   4 +-
 net/netfilter/nft_nat.c                  |   6 +-
 net/netfilter/nft_redir.c                |   4 +-
 net/netfilter/nft_reject.c               |   2 +-
 net/netfilter/nft_rt.c                   |   2 +-
 15 files changed, 340 insertions(+), 102 deletions(-)

-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux