diff mbox series

[net,1/8] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

Message ID 20211021100821.964677-2-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show
Series [net,1/8] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value | expand

Commit Message

Pablo Neira Ayuso Oct. 21, 2021, 10:08 a.m. UTC 
From: Juhee Kang <claudiajkang@gmail.com>

Currently, when the rule related to IDLETIMER is added, idletimer_tg timer
structure is initialized by kmalloc on executing idletimer_tg_create
function. However, in this process timer->timer_type is not defined to
a specific value. Thus, timer->timer_type has garbage value and it occurs
kernel panic. So, this commit fixes the panic by initializing
timer->timer_type using kzalloc instead of kmalloc.

Test commands:
    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
    $ cat /sys/class/xt_idletimer/timers/test
      Killed

Splat looks like:
    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
    Call Trace:
     dump_stack_lvl+0x6e/0x9c
     kasan_report.cold+0x112/0x117
     ? alarm_expires_remaining+0x49/0x70
     __asan_load8+0x86/0xb0
     alarm_expires_remaining+0x49/0x70
     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]
     dev_attr_show+0x3c/0x60
     sysfs_kf_seq_show+0x11d/0x1f0
     ? device_remove_bin_file+0x20/0x20
     kernfs_seq_show+0xa4/0xb0
     seq_read_iter+0x29c/0x750
     kernfs_fop_read_iter+0x25a/0x2c0
     ? __fsnotify_parent+0x3d1/0x570
     ? iov_iter_init+0x70/0x90
     new_sync_read+0x2a7/0x3d0
     ? __x64_sys_llseek+0x230/0x230
     ? rw_verify_area+0x81/0x150
     vfs_read+0x17b/0x240
     ksys_read+0xd9/0x180
     ? vfs_write+0x460/0x460
     ? do_syscall_64+0x16/0xc0
     ? lockdep_hardirqs_on+0x79/0x120
     __x64_sys_read+0x43/0x50
     do_syscall_64+0x3b/0xc0
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7f0cdc819142
    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142
    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003
    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000
    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0
    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000

Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target")
Signed-off-by: Juhee Kang <claudiajkang@gmail.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_IDLETIMER.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org Oct. 21, 2021, 11:40 a.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 21 Oct 2021 12:08:14 +0200 you wrote:
> From: Juhee Kang <claudiajkang@gmail.com>
> 
> Currently, when the rule related to IDLETIMER is added, idletimer_tg timer
> structure is initialized by kmalloc on executing idletimer_tg_create
> function. However, in this process timer->timer_type is not defined to
> a specific value. Thus, timer->timer_type has garbage value and it occurs
> kernel panic. So, this commit fixes the panic by initializing
> timer->timer_type using kzalloc instead of kmalloc.
> 
> [...]

Here is the summary with links:
  - [net,1/8] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
    https://git.kernel.org/netdev/net/c/902c0b188752
  - [net,2/8] netfilter: Kconfig: use 'default y' instead of 'm' for bool config option
    https://git.kernel.org/netdev/net/c/77076934afdc
  - [net,3/8] netfilter: nf_tables: skip netdev events generated on netns removal
    https://git.kernel.org/netdev/net/c/68a3765c659f
  - [net,4/8] selftests: nft_nat: add udp hole punch test case
    https://git.kernel.org/netdev/net/c/465f15a6d1a8
  - [net,5/8] netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
    https://git.kernel.org/netdev/net/c/a482c5e00a9b
  - [net,6/8] netfilter: ipvs: make global sysctl readonly in non-init netns
    https://git.kernel.org/netdev/net/c/174c37627894
  - [net,7/8] selftests: netfilter: remove stray bash debug line
    https://git.kernel.org/netdev/net/c/3e6ed7703dae
  - [net,8/8] netfilter: ebtables: allocate chainstack on CPU local nodes
    https://git.kernel.org/netdev/net/c/d9aaaf223297

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 7b2f359bfce4..2f7cf5ecebf4 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -137,7 +137,7 @@  static int idletimer_tg_create(struct idletimer_tg_info *info)
 {
 	int ret;
 
-	info->timer = kmalloc(sizeof(*info->timer), GFP_KERNEL);
+	info->timer = kzalloc(sizeof(*info->timer), GFP_KERNEL);
 	if (!info->timer) {
 		ret = -ENOMEM;
 		goto out;