Message ID | f9e3e9338eeb819c40efb13fed33514a3df23c14.1503025296.git.lucien.xin@gmail.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Fri, Aug 18, 2017 at 11:01:36AM +0800, Xin Long wrote: > As we know in some target's checkentry it may dereference par.entryinfo > to check entry stuff inside. But when sched action calls xt_check_target, > par.entryinfo is set with NULL. It would cause kernel panic when calling > some targets. > > It can be reproduce with: > # tc qd add dev eth1 ingress handle ffff: > # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \ > -j ECN --ecn-tcp-remove > > It could also crash kernel when using target CLUSTERIP or TPROXY. > > By now there's no proper value for par.entryinfo in ipt_init_target, > but it can not be set with NULL. This patch is to void all these > panics by setting it with an ipt_entry obj with all members = 0. > > Note that this issue has been there since the very beginning. > > Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
From: Xin Long <lucien.xin@gmail.com> Date: Fri, 18 Aug 2017 11:01:36 +0800 > As we know in some target's checkentry it may dereference par.entryinfo > to check entry stuff inside. But when sched action calls xt_check_target, > par.entryinfo is set with NULL. It would cause kernel panic when calling > some targets. > > It can be reproduce with: > # tc qd add dev eth1 ingress handle ffff: > # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \ > -j ECN --ecn-tcp-remove > > It could also crash kernel when using target CLUSTERIP or TPROXY. > > By now there's no proper value for par.entryinfo in ipt_init_target, > but it can not be set with NULL. This patch is to void all these > panics by setting it with an ipt_entry obj with all members = 0. > > Note that this issue has been there since the very beginning. > > Signed-off-by: Xin Long <lucien.xin@gmail.com> Applied and queued up for -stable, thanks.
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c index d516ba8..5417078 100644 --- a/net/sched/act_ipt.c +++ b/net/sched/act_ipt.c @@ -41,6 +41,7 @@ static int ipt_init_target(struct net *net, struct xt_entry_target *t, { struct xt_tgchk_param par; struct xt_target *target; + struct ipt_entry e = {}; int ret = 0; target = xt_request_find_target(AF_INET, t->u.user.name, @@ -52,6 +53,7 @@ static int ipt_init_target(struct net *net, struct xt_entry_target *t, memset(&par, 0, sizeof(par)); par.net = net; par.table = table; + par.entryinfo = &e; par.target = target; par.targinfo = t->data; par.hook_mask = hook;
As we know in some target's checkentry it may dereference par.entryinfo to check entry stuff inside. But when sched action calls xt_check_target, par.entryinfo is set with NULL. It would cause kernel panic when calling some targets. It can be reproduce with: # tc qd add dev eth1 ingress handle ffff: # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \ -j ECN --ecn-tcp-remove It could also crash kernel when using target CLUSTERIP or TPROXY. By now there's no proper value for par.entryinfo in ipt_init_target, but it can not be set with NULL. This patch is to void all these panics by setting it with an ipt_entry obj with all members = 0. Note that this issue has been there since the very beginning. Signed-off-by: Xin Long <lucien.xin@gmail.com> --- net/sched/act_ipt.c | 2 ++ 1 file changed, 2 insertions(+)