Florent Revest <revest@xxxxxxxxxxxx> wrote: > On Tue, Jun 20, 2023 at 8:35 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > > On Thu, Jun 15, 2023 at 05:29:18PM +0200, Florent Revest wrote: > > > If register_nf_conntrack_bpf() fails (for example, if the .BTF section > > > contains an invalid entry), nf_conntrack_init_start() calls > > > nf_conntrack_helper_fini() as part of its cleanup path and > > > nf_ct_helper_hash gets freed. > > > > > > Further netfilter modules like netfilter_conntrack_ftp don't check > > > whether nf_conntrack initialized correctly and call > > > nf_conntrack_helpers_register() which accesses the freed > > > nf_ct_helper_hash and causes a uaf. > > > > > > This patch guards nf_conntrack_helper_register() from accessing > > > freed/uninitialized nf_ct_helper_hash maps and fixes a boot-time > > > use-after-free. > > > > How could this possibly happen? > > Here is one way to reproduce this bug: > > # Use nf/main > git clone git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git > cd nf > > # Start from a minimal config > make LLVM=1 LLVM_IAS=0 defconfig > > # Enable KASAN, BTF and nf_conntrack_ftp > scripts/config -e KASAN -e BPF_SYSCALL -e DEBUG_INFO -e > DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT -e DEBUG_INFO_BTF -e > NF_CONNTRACK_FTP > make LLVM=1 LLVM_IAS=0 olddefconfig > > # Build without the LLVM integrated assembler > make LLVM=1 LLVM_IAS=0 -j `nproc` > > (Note that the use of LLVM_IAS=0, KASAN and BTF is just to trigger a > bug in BTF that will be fixed by > https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=9724160b3942b0a967b91a59f81da5593f28b8ba > Independently of that specific BTF bug, it shows how an error in > nf_conntrack_bpf can cause a boot-time uaf in netfilter) > > Then, booting gives me: > > [ 4.624666] BPF: [13893] FUNC asan.module_ctor > [ 4.625611] BPF: type_id=1 > [ 4.626176] BPF: > [ 4.626601] BPF: Invalid name > [ 4.627208] BPF: > [ 4.627723] ================================================================== > [ 4.628610] BUG: KASAN: slab-use-after-free in > nf_conntrack_helper_register+0x129/0x2f0 > [ 4.628610] Read of size 8 at addr ffff888102d24000 by task swapper/0/1 > [ 4.628610] Isn't that better than limping along? in this case an initcall is failing and I think panic is preferrable to a kernel that behaves like NF_CONNTRACK_FTP=n. AFAICS this problem is specific to NF_CONNTRACK_FTP=y (or any other helper module, for that matter). If you disagree please resend with a commit message that makes it clear that this is only relevant for the 'builtin' case.
