Juhee Kang <claudiajkang@xxxxxxxxx> wrote:
> Currently, when the rule related to IDLETIMER is added, idletimer_tg timer
> structure is initialized by kmalloc on executing idletimer_tg_create
> function. However, in this process timer->timer_type is not defined to
> a specific value. Thus, timer->timer_type has garbage value and it occurs
> kernel panic. So, this commit fixes the panic by initializing
> timer->timer_type using kzalloc instead of kmalloc.
>
> Test commands:
> # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
> $ cat /sys/class/xt_idletimer/timers/test
> Killed
>
> Splat looks like:
> BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
> Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
> CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> dump_stack_lvl+0x6e/0x9c
> kasan_report.cold+0x112/0x117
> ? alarm_expires_remaining+0x49/0x70
> __asan_load8+0x86/0xb0
> alarm_expires_remaining+0x49/0x70
> idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]
> Fixes: 0902b469bd250 ("netfilter: xtables: idletimer target implementation")
Hmm, I don't think so.
Probably:
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
?
