mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-21 01:51:18 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/ipv4
History
Kuniyuki Iwashima 95590a4929 netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). 
[ Upstream commit 5830aa8639 ]

We had a report that iptables-restore sometimes triggered null-ptr-deref
at boot time. [0]

The problem is that iptable_nat_table_init() is exposed to user space
before the kernel fully initialises netns.

In the small race window, a user could call iptable_nat_table_init()
that accesses net_generic(net, iptable_nat_net_id), which is available
only after registering iptable_nat_net_ops.

Let's call register_pernet_subsys() before xt_register_template().

[0]:
bpfilter: Loaded bpfilter_umh pid 11702
Started bpfilter
BUG: kernel NULL pointer dereference, address: 0000000000000013
 PF: supervisor write access in kernel mode
 PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
PREEMPT SMP NOPTI
CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1
Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017
RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c
RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246
RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80
RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0
RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240
R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000
R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004
FS:  00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
 ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
 ? xt_find_table_lock (net/netfilter/x_tables.c:1259)
 ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
 ? page_fault_oops (arch/x86/mm/fault.c:727)
 ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)
 ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)
 ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
 xt_find_table_lock (net/netfilter/x_tables.c:1259)
 xt_request_find_table_lock (net/netfilter/x_tables.c:1287)
 get_info (net/ipv4/netfilter/ip_tables.c:965)
 ? security_capable (security/security.c:809 (discriminator 13))
 ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)
 ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)
 ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter
 nf_getsockopt (net/netfilter/nf_sockopt.c:116)
 ip_getsockopt (net/ipv4/ip_sockglue.c:1827)
 __sys_getsockopt (net/socket.c:2327)
 __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)
 do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
RIP: 0033:0x7f62844685ee
Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09
RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0
R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2
R13: 00007f628455baa0 R14: 00007ffd1f83d7b0 R15: 00007f628457a008
 </TASK>
Modules linked in: iptable_nat(+) bpfilter rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache veth xt_state xt_connmark xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 vfat fat ghash_clmulni_intel aesni_intel ena crypto_simd ptp cryptd i8042 pps_core serio button sunrpc sch_fq_codel configfs loop dm_mod fuse dax dmi_sysfs crc32_pclmul crc32c_intel efivarfs
CR2: 0000000000000013

Fixes: fdacd57c79 ("netfilter: x_tables: never register tables by default")
Reported-by: Takahiro Kawahara <takawaha@amazon.co.jp>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-08-11 12:35:58 +02:00
..
bpfilter
netfilter netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). 2024-08-11 12:35:58 +02:00
af_inet.c net: relax socket state check at accept time. 2024-06-12 11:03:53 +02:00
ah4.c
arp.c arp: Prevent overflow in arp_req_get(). 2024-03-01 13:26:39 +01:00
bpf_tcp_ca.c
cipso_ipv4.c cipso: fix total option length computation 2024-06-27 13:46:18 +02:00
datagram.c ipv4: fix data-races around inet->inet_id 2023-08-30 16:11:02 +02:00
devinet.c ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid 2024-03-01 13:26:36 +01:00
esp4.c net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP 2024-08-03 08:49:03 +02:00
esp4_offload.c xfrm: Linearize the skb after offloading if needed. 2023-06-28 11:12:29 +02:00
fib_frontend.c ipv4: Fix incorrect table ID in IOCTL path 2023-03-22 13:33:50 +01:00
fib_lookup.h
fib_notifier.c
fib_rules.c
fib_semantics.c ipv4: fix source address selection with route leak 2024-08-03 08:49:31 +02:00
fib_trie.c ipv4: Fix incorrect TOS in route get reply 2024-08-03 08:49:24 +02:00
fou.c
gre_demux.c
gre_offload.c
icmp.c icmp: prevent possible NULL dereferences from icmp_build_probe() 2024-05-02 16:29:23 +02:00
igmp.c ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet 2023-12-08 08:51:17 +01:00
inet_connection_sock.c Fix race for duplicate reqsk on identical SYN 2024-07-05 09:31:46 +02:00
inet_diag.c inet_diag: Initialize pad field in struct inet_diag_req_v2 2024-07-11 12:47:12 +02:00
inet_fragment.c inet: inet_defrag: prevent sk release while still in use 2024-04-10 16:28:23 +02:00
inet_hashtables.c net: remove duplicate reuseport_lookup functions 2024-06-12 11:03:12 +02:00
inet_timewait_sock.c tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() 2024-03-26 18:20:58 -04:00
inetpeer.c
ip_forward.c
ip_fragment.c inet: inet_defrag: prevent sk release while still in use 2024-04-10 16:28:23 +02:00
ip_gre.c erspan: make sure erspan_base_hdr is present in skb->head 2024-04-10 16:28:27 +02:00
ip_input.c ipv4: ignore dst hint for multipath routes 2023-09-19 12:28:01 +02:00
ip_options.c
ip_output.c net: ipv4: fix a memleak in ip_setup_cork 2024-02-05 20:13:02 +00:00
ip_sockglue.c ipmr: fix kernel panic when forwarding mcast packets 2024-02-05 20:13:00 +00:00
ip_tunnel.c net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() 2024-03-26 18:20:41 -04:00
ip_tunnel_core.c tunnels: fix out of bounds access when building IPv6 PMTU error 2024-02-16 19:06:26 +01:00
ip_vti.c ip_vti: fix potential slab-use-after-free in decode_session6 2023-08-23 17:52:32 +02:00
ipcomp.c
ipconfig.c
ipip.c net: Add helper function to parse netlink msg of ip_tunnel_parm 2022-10-03 07:59:06 +01:00
ipmr.c ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function 2024-03-26 18:20:42 -04:00
ipmr_base.c
Kconfig tcp: configurable source port perturb table size 2022-11-16 13:02:04 +00:00
Makefile
metrics.c ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() 2023-02-01 08:34:45 +01:00
netfilter.c
netlink.c
nexthop.c net: nexthop: Initialize all fields in dumped nexthops 2024-08-03 08:49:50 +02:00
ping.c ping: Fix potentail NULL deref for /proc/net/icmp. 2023-04-13 16:55:24 +02:00
proc.c
protocol.c
raw.c ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels 2024-03-26 18:21:00 -04:00
raw_diag.c raw: Fix NULL deref in raw_get_next(). 2023-04-13 16:55:23 +02:00
route.c ipv4: Fix incorrect source address in Record Route option 2024-08-03 08:49:49 +02:00
syncookies.c tcp: fix cookie_init_timestamp() overflows 2023-11-20 11:51:54 +01:00
sysctl_net_ipv4.c tcp: enforce receive buffer memory limits by allowing the tcp window to shrink 2023-10-19 23:08:54 +02:00
tcp.c tcp: add tcp_done_with_error() helper 2024-08-03 08:49:04 +02:00
tcp_bbr.c
tcp_bic.c
tcp_bpf.c tcp_bpf: properly release resources on error paths 2023-10-25 12:03:13 +02:00
tcp_cdg.c Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
tcp_cong.c
tcp_cubic.c
tcp_dctcp.c tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). 2024-06-12 11:03:51 +02:00
tcp_dctcp.h
tcp_diag.c
tcp_fastopen.c tcp: annotate data-races around fastopenq.max_qlen 2023-07-27 08:50:49 +02:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: add tcp_done_with_error() helper 2024-08-03 08:49:04 +02:00
tcp_ipv4.c tcp: fix races in tcp_v[46]_err() 2024-08-03 08:49:04 +02:00
tcp_lp.c
tcp_metrics.c tcp_metrics: validate source addr length 2024-07-11 12:47:11 +02:00
tcp_minisocks.c rds: tcp: Fix use-after-free of net in reqsk_timer_handler(). 2024-03-26 18:20:58 -04:00
tcp_nv.c
tcp_offload.c tcp: gso: really support BIG TCP 2023-06-14 11:15:20 +02:00
tcp_output.c tcp: annotate lockless access to sk->sk_err 2024-08-03 08:49:04 +02:00
tcp_rate.c
tcp_recovery.c tcp: fix excessive TLP and RACK timeouts from HZ rounding 2023-10-25 12:03:06 +02:00
tcp_scalable.c
tcp_timer.c tcp: fix race in tcp_write_err() 2024-08-03 08:49:04 +02:00
tcp_ulp.c net/ulp: use consistent error code when blocking ULP 2023-01-24 07:24:43 +01:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). 2024-07-18 13:18:35 +02:00
udp_bpf.c bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() 2023-03-17 08:50:24 +01:00
udp_diag.c
udp_impl.h
udp_offload.c net: gro: add flush check in udp_gro_receive_segment 2024-05-17 11:56:02 +02:00
udp_tunnel_core.c udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO 2024-01-10 17:10:28 +01:00
udp_tunnel_nic.c
udp_tunnel_stub.c
udplite.c udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). 2023-05-30 14:03:20 +01:00
xfrm4_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:56:10 +02:00
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c