From patchwork Wed Jun 13 16:13:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 928965 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="AXasq4Oi"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 415Wyf0b7zz9s0W for ; Thu, 14 Jun 2018 02:13:46 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754509AbeFMQNo (ORCPT ); Wed, 13 Jun 2018 12:13:44 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:33694 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754484AbeFMQNn (ORCPT ); Wed, 13 Jun 2018 12:13:43 -0400 Received: by mail-pf0-f193.google.com with SMTP id b17-v6so1678747pfi.0 for ; Wed, 13 Jun 2018 09:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UQ47gAgaiK2KxpstGefziMzE36yQQX9ziiZuY0CCU34=; b=AXasq4Oil1GlylFcz9Zm0OXgwJUD23iPEZtFxWlBYl1b07b2RRCDkH44UXIlmB2gxA l2KYyL5IK6PHJ0gY/dSvqsL8zxc6/A0DqeiH781CDcuXRsvK0g0OSwkFTeUeQlBMrlYI N+Ubq+VGQpm8b2a9zEH6EBWSsT5HT7Y5osmNp4fi4pFzXLHBf/QsBFolWLLBV7rset4S 2H99mwFxGk9nHCuD1C4ldnf1WnGD7LyuMPT4ji7znkXLYyS5XBR0C+59p5j3ueiHdayu Dg5Dk4wuW8/HxyCcgL0sIdoS5/ixN77fNlp6qHihzHyiY9S6MuF4JHn3flQ2c61KK/qq 2FSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=UQ47gAgaiK2KxpstGefziMzE36yQQX9ziiZuY0CCU34=; b=Wd9C82nIGT1YPqv1Vz2GN2f8dPm0YPyaU9ZbLLxuYxbAT8gfMDpXVRLdzdRG7kjPox wDp5aBCjPoehkfG1tIbxqGk3MIFO62ZtVN5l0Wnhvn618AS/5Zpjh4Q3bUeMFyoF9NE+ RM3MW+glFqwZmNAEi0ZuTrljVmx0Fr7H8QTGVZdVvS5ZxjKqDebKTRdlg/4ZLHL/rpcV a/BMTT65UrRDKLKFaBYXqcWwu1dN/bGOirGE+x/46kN+037DmfS1AjV9Cg26c1inJWqf K0cUISx2AcZqx2epYUKeMm6AqDjaKkrGDYHDucb7HG3IzpziP/g1GFOldk1GdQPr0hmX ngbQ== X-Gm-Message-State: APt69E1gJKLUZ2KJPy4q9u7CcwSgWoguRXHfV02OrcPO/Bl4+bMpIWA/ iLuICu15WuMgqgKHPnwuRQPRlaZWHRA= X-Google-Smtp-Source: ADUXVKLpI2EFXXieEaHOH4fA88JnQaxid/bvEOM+ufVieNaJ1qomSmcwUbdvROYgmr6j/PkL4UlmKA== X-Received: by 2002:a63:a557:: with SMTP id r23-v6mr4615186pgu.336.1528906421642; Wed, 13 Jun 2018 09:13:41 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id v26-v6sm4459075pfe.13.2018.06.13.09.13.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 13 Jun 2018 09:13:40 -0700 (PDT) From: Eric Dumazet To: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal Cc: netfilter-devel@vger.kernel.org, netdev , Eric Dumazet , Eric Dumazet Subject: [PATCH net] netfilter: nf_queue: augment nfqa_cfg_policy Date: Wed, 13 Jun 2018 09:13:39 -0700 Message-Id: <20180613161339.144919-1-edumazet@google.com> X-Mailer: git-send-email 2.18.0.rc1.242.g61856ae69a-goog Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Three attributes are currently not verified, thus can trigger KMSAN warnings such as : BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline] BUG: KMSAN: uninit-value in nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268 CPU: 1 PID: 4521 Comm: syz-executor120 Not tainted 4.17.0+ #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620 __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] __fswab32 include/uapi/linux/swab.h:59 [inline] nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268 nfnetlink_rcv_msg+0xb2e/0xc80 net/netfilter/nfnetlink.c:212 netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448 nfnetlink_rcv+0x2fe/0x680 net/netfilter/nfnetlink.c:513 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43fd59 RSP: 002b:00007ffde0e30d28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401680 R13: 0000000000401710 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2753 [inline] __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:988 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: fdb694a01f1f ("netfilter: Add fail-open support") Fixes: 829e17a1a602 ("[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink") Signed-off-by: Eric Dumazet Reported-by: syzbot --- net/netfilter/nfnetlink_queue.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 4ccd2988f9db637166358335d8e26299c7237bec..ea4ba551abb28cb25c833dc408e23d1313b21bb4 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -1243,6 +1243,9 @@ static int nfqnl_recv_unsupp(struct net *net, struct sock *ctnl, static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = { [NFQA_CFG_CMD] = { .len = sizeof(struct nfqnl_msg_config_cmd) }, [NFQA_CFG_PARAMS] = { .len = sizeof(struct nfqnl_msg_config_params) }, + [NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 }, + [NFQA_CFG_MASK] = { .type = NLA_U32 }, + [NFQA_CFG_FLAGS] = { .type = NLA_U32 }, }; static const struct nf_queue_handler nfqh = {