bugzilla-daemon at netfilter.org
2020-Jul-08 16:07 UTC
[Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440
Bug ID: 1440
Summary: kernel oops allowing a connection with
nfq_set_verdict() on kernel 5.7.x with hardening
parameters
Product: libnetfilter_queue
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: libnetfilter_queue
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: gooffy1 at gmail.com
Created attachment 599
--> https://bugzilla.netfilter.org/attachment.cgi?id=599&action=edit
nfqueue tester
Hi!
Some users have reported kernel OOPs [0][1] using opensnitch, an app that uses
libnetfilter_queue to allow or deny connections.
These users configured several hardening parameters of the kernel, and the one
that is causing this problem is: slub_debug=FZP
The versions of libnetfilter_queue used are 1.0.3 (Debian/GNU) and 1.0.5
(ArchLinux).
I've narrowed the problem down to nfq_set_verdict(), and only when allowing
a
connection. I've also reproduced it with the tester attached, a minimal
version
of this one:
https://raw.githubusercontent.com/adsbh7/net_filter/e27f6dec4c5d29b71c70b9c33e00b644334726fd/nfqnl_test.c
steps to reproduce it:
# iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 100
# ./nfqnl_test
$ ping netfilter.org
The problem occurs on kernel 5.7.0 (+ hardening-runtime deb package), but a
user also reported it with 5.6.16.
Finally, I also compiled the nfqueue from the git, and it's working fine.
--
[0] https://github.com/evilsocket/opensnitch/issues/297
[1] https://github.com/gustavo-iniguez-goya/opensnitch/issues/41
Example of a kernel OOPs:
Jul 8 16:34:17 localhost kernel: [222252.785620] general protection fault,
probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#47] SMP PTI
Jul 8 16:34:17 localhost kernel: [222252.785625] CPU: 0 PID: 27890 Comm:
nfqnl_test Tainted: P D OE 5.7.0-1-amd64 #1 Debian 5.7.6-1
Jul 8 16:34:17 localhost kernel: [222252.785635] RIP:
0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jul 8 16:34:17 localhost kernel: [222252.785636] Code: fd ff ff 49 89 c6 48 85
c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29
48 01 d0 74 24 48 8b 00 <f6> 80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8
02 0f
84 32 01 00
Jul 8 16:34:17 localhost kernel: [222252.785638] RSP: 0018:ffffb8144c077900
EFLAGS: 00010282
Jul 8 16:34:17 localhost kernel: [222252.785639] RAX: 6b6b6b6b6b6b6b6b RBX:
ffff961478c510c0 RCX: 000000000015000b
Jul 8 16:34:17 localhost kernel: [222252.785640] RDX: 000000000000006b RSI:
0000000000000000 RDI: 0000000000000246
Jul 8 16:34:17 localhost kernel: [222252.785641] RBP: ffffb8144c077970 R08:
ffffffffc23df010 R09: ffff961478c51100
Jul 8 16:34:17 localhost kernel: [222252.785642] R10: ffff961478c510c0 R11:
0000000000000001 R12: ffff9611ee0731c0
Jul 8 16:34:17 localhost kernel: [222252.785643] R13: 0000000000000002 R14:
ffff961478c51540 R15: 0000000000000000
Jul 8 16:34:17 localhost kernel: [222252.785645] FS: 00007ffff7bafb80(0000)
GS:ffff9615ca000000(0000) knlGS:0000000000000000
Jul 8 16:34:17 localhost kernel: [222252.785646] CS: 0010 DS: 0000 ES: 0000
CR0: 0000000080050033
Jul 8 16:34:17 localhost kernel: [222252.785647] CR2: 0000561e9a330e8c CR3:
0000000403a10004 CR4: 00000000001606f0
Jul 8 16:34:17 localhost kernel: [222252.785648] Call Trace:
Jul 8 16:34:17 localhost kernel: [222252.785654] ? nfqnl_reinject+0x38/0x50
[nfnetlink_queue]
Jul 8 16:34:17 localhost kernel: [222252.785656] nfqnl_reinject+0x38/0x50
[nfnetlink_queue]
Jul 8 16:34:17 localhost kernel: [222252.785658]
nfqnl_recv_verdict+0x28d/0x4c0 [nfnetlink_queue]
Jul 8 16:34:17 localhost kernel: [222252.785662]
nfnetlink_rcv_msg+0x149/0x260 [nfnetlink]
Jul 8 16:34:17 localhost kernel: [222252.785668] ?
cred_has_capability+0x7c/0x120
Jul 8 16:34:17 localhost kernel: [222252.785670] ?
nfnetlink_net_exit_batch+0x60/0x60 [nfnetlink]
Jul 8 16:34:17 localhost kernel: [222252.785674] netlink_rcv_skb+0x49/0x110
Jul 8 16:34:17 localhost kernel: [222252.785676] nfnetlink_rcv+0x69/0x149
[nfnetlink]
Jul 8 16:34:17 localhost kernel: [222252.785678] netlink_unicast+0x191/0x230
Jul 8 16:34:17 localhost kernel: [222252.785680] netlink_sendmsg+0x243/0x480
Jul 8 16:34:17 localhost kernel: [222252.785684] sock_sendmsg+0x5e/0x60
Jul 8 16:34:17 localhost kernel: [222252.785686] ____sys_sendmsg+0x1ef/0x260
Jul 8 16:34:17 localhost kernel: [222252.785688] ?
copy_msghdr_from_user+0x5c/0x90
Jul 8 16:34:17 localhost kernel: [222252.785691] ? try_to_wake_up+0x218/0x660
Jul 8 16:34:17 localhost kernel: [222252.785692] ___sys_sendmsg+0x81/0xc0
Jul 8 16:34:17 localhost kernel: [222252.785695] ? pty_write+0x79/0xa0
Jul 8 16:34:17 localhost kernel: [222252.785698] __sys_sendmsg+0x59/0xa0
Jul 8 16:34:17 localhost kernel: [222252.785701] do_syscall_64+0x52/0x180
Jul 8 16:34:17 localhost kernel: [222252.785704]
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jul 8 16:34:17 localhost kernel: [222252.785706] RIP: 0033:0x7ffff7ebe7b3
Jul 8 16:34:17 localhost kernel: [222252.785708] Code: c7 c0 ff ff ff ff eb bb
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75
14 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec
28 89
54 24 1c 48
Jul 8 16:34:17 localhost kernel: [222252.785709] RSP: 002b:00007fffffffd278
EFLAGS: 00000246 ORIG_RAX: 000000000000002e
Jul 8 16:34:17 localhost kernel: [222252.785710] RAX: ffffffffffffffda RBX:
00007fffffffd320 RCX: 00007ffff7ebe7b3
Jul 8 16:34:17 localhost kernel: [222252.785711] RDX: 0000000000000000 RSI:
00007fffffffd290 RDI: 0000000000000003
Jul 8 16:34:17 localhost kernel: [222252.785712] RBP: 0000000000000000 R08:
0000000000000014 R09: 0000000000000301
Jul 8 16:34:17 localhost kernel: [222252.785713] R10: 0000000000000001 R11:
0000000000000246 R12: 0000000000000000
Jul 8 16:34:17 localhost kernel: [222252.785714] R13: 0000555555559928 R14:
0000000000000000 R15: 0000000000000000
Jul 8 16:34:17 localhost kernel: [222252.785716] Modules linked in: tun
nls_ascii nls_cp437 vfat fat mmc_block uas usb_storage ctr ccm hid_generic
usbhid hid udp_diag tcp_diag inet_diag xt_mark xt_NFQUEUE nfnetlink_queue veth
xt_nat nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype xt_conntrack
br_netfilter overlay xt_CHECKSUM nft_chain_nat xt_MASQUERADE nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter vboxnetadp(OE)
vboxnetflt(OE) xt_tcpudp nft_compat vboxdrv(OE) bridge stp llc nf_tables
nfnetlink fuse uinput binfmt_misc intel_rapl_msr intel_rapl_common mei_wdt
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iwldvm kvm mac80211
libarc4 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi iwlwifi
irqbypass intel_cstate intel_uncore intel_rapl_perf joydev snd_hda_intel
nvidia_drm(POE) snd_intel_dspcfg pcspkr wmi_bmof cfg80211 serio_raw
snd_hda_codec sg thinkpad_acpi tpm_tis drm_kms_helper iTCO_wdt snd_hda_core
iTCO_vendor_support cec nvram watchdog ledtrig_audio tpm_tis_core drm snd_hwdep
Jul 8 16:34:17 localhost kernel: [222252.785744] rfkill mei_me snd_pcm tpm ac
evdev rng_core nvidia_modeset(POE) snd_timer mei snd soundcore nvidia(POE)
ipmi_devintf ipmi_msghandler loop parport_pc ppdev lp parport ip_tables
x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_decompress
zstd_compress dm_crypt dm_mod raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0
multipath linear md_mod sd_mod t10_pi crc_t10dif crct10dif_generic
crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel
ahci libahci aesni_intel libaes crypto_simd libata cryptd glue_helper psmouse
scsi_mod i2c_i801 firewire_ohci firewire_core crc_itu_t sdhci_pci cqhci sdhci
lpc_ich mfd_core xhci_pci ehci_pci mmc_core ehci_hcd xhci_hcd e1000e usbcore
ptp pps_core usb_common wmi battery video button
Jul 8 16:34:17 localhost kernel: [222252.785775] ---[ end trace
355093f002fed35a ]---
Jul 8 16:34:17 localhost kernel: [222252.785780] RIP:
0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jul 8 16:34:17 localhost kernel: [222252.785781] Code: fd ff ff 49 89 c6 48 85
c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29
48 01 d0 74 24 48 8b 00 <f6> 80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8
02 0f
84 32 01 00
Jul 8 16:34:17 localhost kernel: [222252.785782] RSP: 0018:ffffb81442867900
EFLAGS: 00010286
Jul 8 16:34:17 localhost kernel: [222252.785784] RAX: 6b6b6b6b6b6b6b6b RBX:
ffff9614c8c8f540 RCX: 000000000015000b
Jul 8 16:34:17 localhost kernel: [222252.785785] RDX: 000000000000006b RSI:
0000000000000000 RDI: 0000000000000246
Jul 8 16:34:17 localhost kernel: [222252.785785] RBP: ffffb81442867970 R08:
ffffffffc23df010 R09: ffff9614c8c8f600
Jul 8 16:34:17 localhost kernel: [222252.785786] R10: ffff9614c8c8f540 R11:
0000000000000001 R12: ffff96159f0a1080
Jul 8 16:34:17 localhost kernel: [222252.785787] R13: 0000000000000002 R14:
ffff9614c8c8f240 R15: 0000000000000000
Jul 8 16:34:17 localhost kernel: [222252.785788] FS: 00007ffff7bafb80(0000)
GS:ffff9615ca000000(0000) knlGS:0000000000000000
Jul 8 16:34:17 localhost kernel: [222252.785789] CS: 0010 DS: 0000 ES: 0000
CR0: 0000000080050033
Jul 8 16:34:17 localhost kernel: [222252.785790] CR2: 0000561e9a330e8c CR3:
0000000403a10004 CR4: 00000000001606f0
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200708/6d001cfb/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-13 08:13 UTC
[Bug 1440] kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please, try this patch:
https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/0059035e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-13 21:04 UTC
[Bug 1440] kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440 --- Comment #2 from gus <gooffy1 at gmail.com> --- Hi Pablo, I compiled and installed kernel 5.7.6 from Debian -> bug reproduced. Kernel 5.7.6 recompiled with your patch -> bug not reproduced. So it seems to be solved :) Thank you! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/784c9907/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-28 22:58 UTC
[Bug 1440] kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440
gus <gooffy1 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200728/7a310dc0/attachment-0001.html>
Apparently Analagous Threads
- forwarding packets to service in same host without using loopback network
- [Bug 941] New: --queue-balance sending all traffic to queue 0
- [Bug 846] New: ./nfqnl_test usage ! no activity shown
- traffic distribution not happening in centos 6.5
- [Bug 743] New: Errors in compiling nfqnl_test.c