From patchwork Wed Jul 26 09:16:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 793762 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="eTX+9bxE"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xHTyJ3y60z9sN5 for ; Wed, 26 Jul 2017 19:16:56 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751474AbdGZJQz (ORCPT ); Wed, 26 Jul 2017 05:16:55 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:38041 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751461AbdGZJQy (ORCPT ); Wed, 26 Jul 2017 05:16:54 -0400 Received: by mail-pf0-f194.google.com with SMTP id c23so15007074pfe.5 for ; Wed, 26 Jul 2017 02:16:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Tx54ruhCJRNFeSSxA1onZ3X1B6CTP6qFOz12iapNCF8=; b=eTX+9bxEHoHjrz8gbRgiM1ywQtu1fxqpqVi+lhtiflK6J/v++skMCHV/WZSSZSbarh 9TVOJTkmqxekpvRfV8shjJBU/vFSUoxKfpYuSh3DnmpsY5v04H06ndv5o31Xn8fkxJ8F bgaKSjLepoXX0nY4qGvJb5iWbXj012Cvf2K/AD0VXHcVuqrI65gXv9YXqeN/b2JwzgsZ 9jl75HVN2MBpnrpU8BRlvNyWIou/LAOcnXIRfaZ0tzpMv589INl+k4p5XuQL4dU0Vl7j cannFcAUpPmyi4qofNJlu/QiTyjEASZtjDRZPL4Vz3GTQJfsWf7N9alqBd3/hOlaNRRV +XXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Tx54ruhCJRNFeSSxA1onZ3X1B6CTP6qFOz12iapNCF8=; b=ItDeEMa+wcqJMp5Is2dgxwA4/ZYUgRazXX9Py8yyQE+vNNR+g82ExvFciO66xxiILZ DmNwKlZs/0luoQ/qGe1ixqs6pw0Cz0jXht6pUmV0+fn5XTPpefeipAqZf2YAsGxFP3t2 D7MeouBzqWL9LA20U7noK6W9xG4MhTpHLh9D4bkpbD+Qu+3Pv36u7LpkqbbIcceEHU/k LlANUm8qiwx2PGAsrebWNtSL25aS0pw/rx79rDxl5PAYZiIKdNhkklGvJspLXhYCqwLN U7h6o8pAQ2qCjsVPdf6LK2W/PVfo+ur3vzht1LtIeTiljoMGDW3GYUvHiR1EuwtHOO+p iHLA== X-Gm-Message-State: AIVw112eQa4MQ72MG7hOd5wl1BdmiBEiWAse71RUbwxiav/TOfGDWXmu 0pRgN+M8La/XIPxS X-Received: by 10.84.157.74 with SMTP id u10mr269745plu.137.1501060614338; Wed, 26 Jul 2017 02:16:54 -0700 (PDT) Received: from thyoo-B70EV-AP77BXE.8.8.8.8 ([175.113.82.80]) by smtp.gmail.com with ESMTPSA id x3sm20228879pge.42.2017.07.26.02.16.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Jul 2017 02:16:53 -0700 (PDT) From: Taehee Yoo To: pablo@netfilter.org, netfilter-devel@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH V2] netfilter: x_tables: Fix use-after-free in ipt_do_table. Date: Wed, 26 Jul 2017 18:16:47 +0900 Message-Id: <20170726091648.20639-1-ap420073@gmail.com> X-Mailer: git-send-email 2.9.3 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org If verdict is NF_STOLEN in the SYNPROXY target, the skb is consumed. However, ipt_do_table() always tries to get ip header from the skb. So that, KASAN triggers the use-after-free message. We can reproduce this message using below command. # iptables -I INPUT -p tcp -j SYNPROXY --mss 1460 [ 193.542265] BUG: KASAN: use-after-free in ipt_do_table+0x1405/0x1c10 [ ... ] [ 193.578603] Call Trace: [ 193.581590] [ 193.584107] dump_stack+0x68/0xa0 [ 193.588168] print_address_description+0x78/0x290 [ 193.593828] ? ipt_do_table+0x1405/0x1c10 [ 193.598690] kasan_report+0x230/0x340 [ 193.603194] __asan_report_load2_noabort+0x19/0x20 [ 193.608950] ipt_do_table+0x1405/0x1c10 [ 193.613591] ? rcu_read_lock_held+0xae/0xd0 [ 193.618631] ? ip_route_input_rcu+0x27d7/0x4270 [ 193.624348] ? ipt_do_table+0xb68/0x1c10 [ 193.629124] ? do_add_counters+0x620/0x620 [ 193.634234] ? iptable_filter_net_init+0x60/0x60 [ ... ] After this patch, only when verdict is XT_CONTINUE, ipt_do_table() tries to get ip header. Signed-off-by: Taehee Yoo --- V2: - Change commit log message. V1: - Initial Version net/ipv4/netfilter/ip_tables.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 2a55a40..622ed28 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -352,13 +352,14 @@ ipt_do_table(struct sk_buff *skb, acpar.targinfo = t->data; verdict = t->u.kernel.target->target(skb, &acpar); - /* Target might have changed stuff. */ - ip = ip_hdr(skb); - if (verdict == XT_CONTINUE) + if (verdict == XT_CONTINUE) { + /* Target might have changed stuff. */ + ip = ip_hdr(skb); e = ipt_next_entry(e); - else + } else { /* Verdict */ break; + } } while (!acpar.hotdrop); xt_write_recseq_end(addend);