Re: [PATCH nf] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present

Kadlecsik József <kadlec@xxxxxxxxxxxxxxxxx> · Wed, 8 Jan 2020 11:05:19 +0100 (CET)

On Wed, 8 Jan 2020, Florian Westphal wrote:

> The set uadt functions assume lineno is never NULL, but it is in
> case of ip_set_utest().
> 
> syzkaller managed to generate a netlink message that calls this with
> LINENO attr present:
> 
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104
> Call Trace:
>  ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867
>  nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
>  netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
>  nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563
> 
> pass a dummy lineno storage, its easier than patching all set
> implementations.

I have just written the same patch... you were faster.

> This seems to be a day-0 bug.

Yes, alas. One could extend the check of attributes in ip_set_utest() to 
bail out with protocol error if attr[IPSET_ATTR_LINENO] is present.

> Cc: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>

Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>

Best regards,
Jozsef

> Reported-by: syzbot+34bd2369d38707f3f4a7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
>  net/netfilter/ipset/ip_set_core.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index 169e0a04f814..cf895bc80871 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -1848,6 +1848,7 @@ static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb,
>  	struct ip_set *set;
>  	struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
>  	int ret = 0;
> +	u32 lineno;
>  
>  	if (unlikely(protocol_min_failed(attr) ||
>  		     !attr[IPSET_ATTR_SETNAME] ||
> @@ -1864,7 +1865,7 @@ static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb,
>  		return -IPSET_ERR_PROTOCOL;
>  
>  	rcu_read_lock_bh();
> -	ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
> +	ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0);
>  	rcu_read_unlock_bh();
>  	/* Userspace can't trigger element to be re-added */
>  	if (ret == -EAGAIN)
> -- 
> 2.24.1
> 
> 

-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary