bugzilla-daemon at netfilter.org
2020-Jul-08 16:07 UTC
[Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440 Bug ID: 1440 Summary: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters Product: libnetfilter_queue Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: libnetfilter_queue Assignee: netfilter-buglog at lists.netfilter.org Reporter: gooffy1 at gmail.com Created attachment 599 --> https://bugzilla.netfilter.org/attachment.cgi?id=599&action=edit nfqueue tester Hi! Some users have reported kernel OOPs [0][1] using opensnitch, an app that uses libnetfilter_queue to allow or deny connections. These users configured several hardening parameters of the kernel, and the one that is causing this problem is: slub_debug=FZP The versions of libnetfilter_queue used are 1.0.3 (Debian/GNU) and 1.0.5 (ArchLinux). I've narrowed the problem down to nfq_set_verdict(), and only when allowing a connection. I've also reproduced it with the tester attached, a minimal version of this one: https://raw.githubusercontent.com/adsbh7/net_filter/e27f6dec4c5d29b71c70b9c33e00b644334726fd/nfqnl_test.c steps to reproduce it: # iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 100 # ./nfqnl_test $ ping netfilter.org The problem occurs on kernel 5.7.0 (+ hardening-runtime deb package), but a user also reported it with 5.6.16. Finally, I also compiled the nfqueue from the git, and it's working fine. -- [0] https://github.com/evilsocket/opensnitch/issues/297 [1] https://github.com/gustavo-iniguez-goya/opensnitch/issues/41 Example of a kernel OOPs: Jul 8 16:34:17 localhost kernel: [222252.785620] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#47] SMP PTI Jul 8 16:34:17 localhost kernel: [222252.785625] CPU: 0 PID: 27890 Comm: nfqnl_test Tainted: P D OE 5.7.0-1-amd64 #1 Debian 5.7.6-1 Jul 8 16:34:17 localhost kernel: [222252.785635] RIP: 0010:nf_conntrack_update+0x134/0x350 [nf_conntrack] Jul 8 16:34:17 localhost kernel: [222252.785636] Code: fd ff ff 49 89 c6 48 85 c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29 48 01 d0 74 24 48 8b 00 <f6> 80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f 84 32 01 00 Jul 8 16:34:17 localhost kernel: [222252.785638] RSP: 0018:ffffb8144c077900 EFLAGS: 00010282 Jul 8 16:34:17 localhost kernel: [222252.785639] RAX: 6b6b6b6b6b6b6b6b RBX: ffff961478c510c0 RCX: 000000000015000b Jul 8 16:34:17 localhost kernel: [222252.785640] RDX: 000000000000006b RSI: 0000000000000000 RDI: 0000000000000246 Jul 8 16:34:17 localhost kernel: [222252.785641] RBP: ffffb8144c077970 R08: ffffffffc23df010 R09: ffff961478c51100 Jul 8 16:34:17 localhost kernel: [222252.785642] R10: ffff961478c510c0 R11: 0000000000000001 R12: ffff9611ee0731c0 Jul 8 16:34:17 localhost kernel: [222252.785643] R13: 0000000000000002 R14: ffff961478c51540 R15: 0000000000000000 Jul 8 16:34:17 localhost kernel: [222252.785645] FS: 00007ffff7bafb80(0000) GS:ffff9615ca000000(0000) knlGS:0000000000000000 Jul 8 16:34:17 localhost kernel: [222252.785646] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 8 16:34:17 localhost kernel: [222252.785647] CR2: 0000561e9a330e8c CR3: 0000000403a10004 CR4: 00000000001606f0 Jul 8 16:34:17 localhost kernel: [222252.785648] Call Trace: Jul 8 16:34:17 localhost kernel: [222252.785654] ? nfqnl_reinject+0x38/0x50 [nfnetlink_queue] Jul 8 16:34:17 localhost kernel: [222252.785656] nfqnl_reinject+0x38/0x50 [nfnetlink_queue] Jul 8 16:34:17 localhost kernel: [222252.785658] nfqnl_recv_verdict+0x28d/0x4c0 [nfnetlink_queue] Jul 8 16:34:17 localhost kernel: [222252.785662] nfnetlink_rcv_msg+0x149/0x260 [nfnetlink] Jul 8 16:34:17 localhost kernel: [222252.785668] ? cred_has_capability+0x7c/0x120 Jul 8 16:34:17 localhost kernel: [222252.785670] ? nfnetlink_net_exit_batch+0x60/0x60 [nfnetlink] Jul 8 16:34:17 localhost kernel: [222252.785674] netlink_rcv_skb+0x49/0x110 Jul 8 16:34:17 localhost kernel: [222252.785676] nfnetlink_rcv+0x69/0x149 [nfnetlink] Jul 8 16:34:17 localhost kernel: [222252.785678] netlink_unicast+0x191/0x230 Jul 8 16:34:17 localhost kernel: [222252.785680] netlink_sendmsg+0x243/0x480 Jul 8 16:34:17 localhost kernel: [222252.785684] sock_sendmsg+0x5e/0x60 Jul 8 16:34:17 localhost kernel: [222252.785686] ____sys_sendmsg+0x1ef/0x260 Jul 8 16:34:17 localhost kernel: [222252.785688] ? copy_msghdr_from_user+0x5c/0x90 Jul 8 16:34:17 localhost kernel: [222252.785691] ? try_to_wake_up+0x218/0x660 Jul 8 16:34:17 localhost kernel: [222252.785692] ___sys_sendmsg+0x81/0xc0 Jul 8 16:34:17 localhost kernel: [222252.785695] ? pty_write+0x79/0xa0 Jul 8 16:34:17 localhost kernel: [222252.785698] __sys_sendmsg+0x59/0xa0 Jul 8 16:34:17 localhost kernel: [222252.785701] do_syscall_64+0x52/0x180 Jul 8 16:34:17 localhost kernel: [222252.785704] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Jul 8 16:34:17 localhost kernel: [222252.785706] RIP: 0033:0x7ffff7ebe7b3 Jul 8 16:34:17 localhost kernel: [222252.785708] Code: c7 c0 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 89 54 24 1c 48 Jul 8 16:34:17 localhost kernel: [222252.785709] RSP: 002b:00007fffffffd278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e Jul 8 16:34:17 localhost kernel: [222252.785710] RAX: ffffffffffffffda RBX: 00007fffffffd320 RCX: 00007ffff7ebe7b3 Jul 8 16:34:17 localhost kernel: [222252.785711] RDX: 0000000000000000 RSI: 00007fffffffd290 RDI: 0000000000000003 Jul 8 16:34:17 localhost kernel: [222252.785712] RBP: 0000000000000000 R08: 0000000000000014 R09: 0000000000000301 Jul 8 16:34:17 localhost kernel: [222252.785713] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 Jul 8 16:34:17 localhost kernel: [222252.785714] R13: 0000555555559928 R14: 0000000000000000 R15: 0000000000000000 Jul 8 16:34:17 localhost kernel: [222252.785716] Modules linked in: tun nls_ascii nls_cp437 vfat fat mmc_block uas usb_storage ctr ccm hid_generic usbhid hid udp_diag tcp_diag inet_diag xt_mark xt_NFQUEUE nfnetlink_queue veth xt_nat nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter vboxnetadp(OE) vboxnetflt(OE) xt_tcpudp nft_compat vboxdrv(OE) bridge stp llc nf_tables nfnetlink fuse uinput binfmt_misc intel_rapl_msr intel_rapl_common mei_wdt x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iwldvm kvm mac80211 libarc4 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi iwlwifi irqbypass intel_cstate intel_uncore intel_rapl_perf joydev snd_hda_intel nvidia_drm(POE) snd_intel_dspcfg pcspkr wmi_bmof cfg80211 serio_raw snd_hda_codec sg thinkpad_acpi tpm_tis drm_kms_helper iTCO_wdt snd_hda_core iTCO_vendor_support cec nvram watchdog ledtrig_audio tpm_tis_core drm snd_hwdep Jul 8 16:34:17 localhost kernel: [222252.785744] rfkill mei_me snd_pcm tpm ac evdev rng_core nvidia_modeset(POE) snd_timer mei snd soundcore nvidia(POE) ipmi_devintf ipmi_msghandler loop parport_pc ppdev lp parport ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_decompress zstd_compress dm_crypt dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel ahci libahci aesni_intel libaes crypto_simd libata cryptd glue_helper psmouse scsi_mod i2c_i801 firewire_ohci firewire_core crc_itu_t sdhci_pci cqhci sdhci lpc_ich mfd_core xhci_pci ehci_pci mmc_core ehci_hcd xhci_hcd e1000e usbcore ptp pps_core usb_common wmi battery video button Jul 8 16:34:17 localhost kernel: [222252.785775] ---[ end trace 355093f002fed35a ]--- Jul 8 16:34:17 localhost kernel: [222252.785780] RIP: 0010:nf_conntrack_update+0x134/0x350 [nf_conntrack] Jul 8 16:34:17 localhost kernel: [222252.785781] Code: fd ff ff 49 89 c6 48 85 c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29 48 01 d0 74 24 48 8b 00 <f6> 80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f 84 32 01 00 Jul 8 16:34:17 localhost kernel: [222252.785782] RSP: 0018:ffffb81442867900 EFLAGS: 00010286 Jul 8 16:34:17 localhost kernel: [222252.785784] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9614c8c8f540 RCX: 000000000015000b Jul 8 16:34:17 localhost kernel: [222252.785785] RDX: 000000000000006b RSI: 0000000000000000 RDI: 0000000000000246 Jul 8 16:34:17 localhost kernel: [222252.785785] RBP: ffffb81442867970 R08: ffffffffc23df010 R09: ffff9614c8c8f600 Jul 8 16:34:17 localhost kernel: [222252.785786] R10: ffff9614c8c8f540 R11: 0000000000000001 R12: ffff96159f0a1080 Jul 8 16:34:17 localhost kernel: [222252.785787] R13: 0000000000000002 R14: ffff9614c8c8f240 R15: 0000000000000000 Jul 8 16:34:17 localhost kernel: [222252.785788] FS: 00007ffff7bafb80(0000) GS:ffff9615ca000000(0000) knlGS:0000000000000000 Jul 8 16:34:17 localhost kernel: [222252.785789] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 8 16:34:17 localhost kernel: [222252.785790] CR2: 0000561e9a330e8c CR3: 0000000403a10004 CR4: 00000000001606f0 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200708/6d001cfb/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-13 08:13 UTC
[Bug 1440] kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |pablo at netfilter.org --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Please, try this patch: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/0059035e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-13 21:04 UTC
[Bug 1440] kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440 --- Comment #2 from gus <gooffy1 at gmail.com> --- Hi Pablo, I compiled and installed kernel 5.7.6 from Debian -> bug reproduced. Kernel 5.7.6 recompiled with your patch -> bug not reproduced. So it seems to be solved :) Thank you! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/784c9907/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-28 22:58 UTC
[Bug 1440] kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
https://bugzilla.netfilter.org/show_bug.cgi?id=1440 gus <gooffy1 at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200728/7a310dc0/attachment-0001.html>
Apparently Analagous Threads
- forwarding packets to service in same host without using loopback network
- [Bug 941] New: --queue-balance sending all traffic to queue 0
- [Bug 846] New: ./nfqnl_test usage ! no activity shown
- traffic distribution not happening in centos 6.5
- [Bug 743] New: Errors in compiling nfqnl_test.c