[v1,nf,0/2] netfilter: iptables: Fix null-ptr-deref in ip6?table_nat_table_init().

Message ID	20240725192822.4478-1-kuniyu@amazon.com (mailing list archive)
Headers	show Received: from smtp-fw-80009.amazon.com (smtp-fw-80009.amazon.com [99.78.197.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BAB11C6BE; Thu, 25 Jul 2024 19:28:40 +0000 (UTC) From: Kuniyuki Iwashima <kuniyu@amazon.com> To: Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik <kadlec@netfilter.org> CC: Florian Westphal <fw@strlen.de>, Kuniyuki Iwashima <kuniyu@amazon.com>, Kuniyuki Iwashima <kuni1840@gmail.com>, <netfilter-devel@vger.kernel.org>, <coreteam@netfilter.org>, <netdev@vger.kernel.org> Subject: [PATCH v1 nf 0/2] netfilter: iptables: Fix null-ptr-deref in ip6?table_nat_table_init(). Date: Thu, 25 Jul 2024 12:28:19 -0700 Message-ID: <20240725192822.4478-1-kuniyu@amazon.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	netfilter: iptables: Fix null-ptr-deref in ip6?table_nat_table_init(). \| expand [v1,nf,0/2] netfilter: iptables: Fix null-ptr-deref in ip6?table_nat_table_init(). [v1,nf,1/2] netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). [v1,nf,2/2] netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().

Message ID

20240725192822.4478-1-kuniyu@amazon.com (mailing list archive)

Headers

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik
	<kadlec@netfilter.org>
CC: Florian Westphal <fw@strlen.de>, Kuniyuki Iwashima <kuniyu@amazon.com>,
	Kuniyuki Iwashima <kuni1840@gmail.com>, <netfilter-devel@vger.kernel.org>,
	<coreteam@netfilter.org>, <netdev@vger.kernel.org>
Subject: [PATCH v1 nf 0/2] netfilter: iptables: Fix null-ptr-deref in
 ip6?table_nat_table_init().
Date: Thu, 25 Jul 2024 12:28:19 -0700
Message-ID: <20240725192822.4478-1-kuniyu@amazon.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

netfilter: iptables: Fix null-ptr-deref in ip6?table_nat_table_init(). | expand

Message

Kuniyuki Iwashima July 25, 2024, 7:28 p.m. UTC

We had a report that iptables-restore sometimes triggered null-ptr-deref
at boot time.

The problem is that iptable_nat_table_init() is exposed to user space too
early and accesses net->gen->ptr[iptable_nat_net_ops.id] before allocated.

Patch 1 fixes the issue in iptable_nat, and patch 2 applies the same fix
to ip6table_nat.


Kuniyuki Iwashima (2):
  netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().
  netfilter: iptables: Fix potential null-ptr-deref in
    ip6table_nat_table_init().

 net/ipv4/netfilter/iptable_nat.c  | 18 ++++++++++--------
 net/ipv6/netfilter/ip6table_nat.c | 14 +++++++++-----
 2 files changed, 19 insertions(+), 13 deletions(-)

Comments

Florian Westphal July 26, 2024, 1:16 a.m. UTC | #1

Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> We had a report that iptables-restore sometimes triggered null-ptr-deref
> at boot time.
> 
> The problem is that iptable_nat_table_init() is exposed to user space too
> early and accesses net->gen->ptr[iptable_nat_net_ops.id] before allocated.

Right, the other xtables don't have a pernet id, but nat needs this
because of the nf_nat_core -> iptable_nat dependency.

Reviewed-by: Florian Westphal <fw@strlen.de>

Pablo Neira Ayuso July 31, 2024, 9:55 p.m. UTC | #2

On Thu, Jul 25, 2024 at 12:28:19PM -0700, Kuniyuki Iwashima wrote:
> We had a report that iptables-restore sometimes triggered null-ptr-deref
> at boot time.
> 
> The problem is that iptable_nat_table_init() is exposed to user space too
> early and accesses net->gen->ptr[iptable_nat_net_ops.id] before allocated.
> 
> Patch 1 fixes the issue in iptable_nat, and patch 2 applies the same fix
> to ip6table_nat.

Series applied and PR sent to netdev including these fixes, thanks.