Re: [PATCH nf] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Juhee Kang <claudiajkang@xxxxxxxxx> wrote:
> Currently, when the rule related to IDLETIMER is added, idletimer_tg timer 
> structure is initialized by kmalloc on executing idletimer_tg_create 
> function. However, in this process timer->timer_type is not defined to 
> a specific value. Thus, timer->timer_type has garbage value and it occurs 
> kernel panic. So, this commit fixes the panic by initializing 
> timer->timer_type using kzalloc instead of kmalloc.
> 
> Test commands:
>     # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
>     $ cat /sys/class/xt_idletimer/timers/test
>       Killed
> 
> Splat looks like:
>     BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
>     Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
>     CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
>     Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>     Call Trace:
>      dump_stack_lvl+0x6e/0x9c
>      kasan_report.cold+0x112/0x117
>      ? alarm_expires_remaining+0x49/0x70
>      __asan_load8+0x86/0xb0
>      alarm_expires_remaining+0x49/0x70
>      idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]

> Fixes: 0902b469bd250 ("netfilter: xtables: idletimer target implementation")

Hmm, I don't think so.

Probably:
Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")

?



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux