nf_conncount_destroy bug in rb_erase()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I've got an easily reproducible bug that I'm seeing on 4.19.11 in the
conncount code.

[   65.167660] CPU: 1 PID: 10375 Comm: iptables Not tainted 4.19.11+ #1
[   65.167661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
[   65.167665] RIP: 0010:rb_erase+0xae/0x360
[   65.167666] Code: 4d 89 50 08 4d 85 c9 74 5b 48 83 c8 01 48 89 0a 49 89 01 c3 48 8b 0f 48 89 ca 48 83 e2 fc 48 85 d2 48 89 d0 0f 84 41 02 00 00 <48> 3b 7a 10 0f 84 3f 02 00 00 4c 89 42 08 4d 85 c0 0f 84 1b 02 00
[   65.167667] RSP: 0018:ffffb5bec0af7d18 EFLAGS: 00010206
[   65.167669] RAX: 6e3319b62019e1d4 RBX: ffff8ebe30766630 RCX: 6e3319b62019e1d5
[   65.167669] RDX: 6e3319b62019e1d4 RSI: ffff8ebe38c8e348 RDI: ffff8ebe38dadde0
[   65.167670] RBP: ffff8ebe38dade00 R08: 0000000000000000 R09: ffffffffc04ef301
[   65.167671] R10: ffff8ebe38dadde0 R11: 0000000000000001 R12: ffff8ebe38dadde0
[   65.167672] R13: ffff8ebe38c8e348 R14: ffff8ebe38c8e808 R15: ffff8ebe38c8e000
[   65.167673] FS:  00007ff81d373700(0000) GS:ffff8ebe3c440000(0000) knlGS:0000000000000000
[   65.167674] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   65.167677] CR2: 000055968cc0d008 CR3: 0000000138f52002 CR4: 00000000003606e0
[   65.167678] Call Trace:
[   65.167689]  nf_conncount_destroy+0x59/0xc0 [nf_conncount]
[   65.167691]  cleanup_match+0x45/0x70 [ip_tables]
[   65.167693]  ? next_arg+0x92/0x110
[   65.167694]  cleanup_entry+0x3e/0xc0 [ip_tables]
[   65.167696]  __do_replace+0x1a4/0x240 [ip_tables]
[   65.167697]  do_ipt_set_ctl+0x150/0x1b0 [ip_tables]
[   65.167700]  nf_setsockopt+0x44/0x70
[   65.167702]  __sys_setsockopt+0x82/0xe0
[   65.167703]  __x64_sys_setsockopt+0x20/0x30
[   65.167704]  do_syscall_64+0x48/0xf0
[   65.167706]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

I can reproduce this by running a simple webserver.  Then running:

while true; do
  sudo /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j DROP
  sleep 1
  sudo iptables -D INPUT 1
done

Then while that loop is running I hit the webserver:

for i in $(seq 1 100); do
  curl --silent http://192.168.122.250 >/dev/null
done

Thanks,
Shawn Bohrer
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux