[Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Jul 8 18:07:52 CEST 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1440

            Bug ID: 1440
           Summary: kernel oops allowing a connection with
                    nfq_set_verdict() on kernel 5.7.x with hardening
                    parameters
           Product: libnetfilter_queue
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: libnetfilter_queue
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: gooffy1 at gmail.com

Created attachment 599
  --> https://bugzilla.netfilter.org/attachment.cgi?id=599&action=edit
nfqueue tester

Hi!

Some users have reported kernel OOPs [0][1] using opensnitch, an app that uses
libnetfilter_queue to allow or deny connections.

These users configured several hardening parameters of the kernel, and the one
that is causing this problem is: slub_debug=FZP

The versions of libnetfilter_queue used are 1.0.3 (Debian/GNU) and 1.0.5
(ArchLinux).

I've narrowed the problem down to nfq_set_verdict(), and only when allowing a
connection. I've also reproduced it with the tester attached, a minimal version
of this one: 
https://raw.githubusercontent.com/adsbh7/net_filter/e27f6dec4c5d29b71c70b9c33e00b644334726fd/nfqnl_test.c

steps to reproduce it:
  # iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 100
  # ./nfqnl_test
  $ ping netfilter.org

The problem occurs on kernel 5.7.0 (+ hardening-runtime deb package), but a
user also reported it with 5.6.16.

Finally, I also compiled the nfqueue from the git, and it's working fine.

--

[0] https://github.com/evilsocket/opensnitch/issues/297
[1] https://github.com/gustavo-iniguez-goya/opensnitch/issues/41


Example of a kernel OOPs:


Jul  8 16:34:17 localhost kernel: [222252.785620] general protection fault,
probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#47] SMP PTI
Jul  8 16:34:17 localhost kernel: [222252.785625] CPU: 0 PID: 27890 Comm:
nfqnl_test Tainted: P      D    OE     5.7.0-1-amd64 #1 Debian 5.7.6-1
Jul  8 16:34:17 localhost kernel: [222252.785635] RIP:
0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jul  8 16:34:17 localhost kernel: [222252.785636] Code: fd ff ff 49 89 c6 48 85
c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29
48 01 d0 74 24 48 8b 00 <f6> 80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f
84 32 01 00
Jul  8 16:34:17 localhost kernel: [222252.785638] RSP: 0018:ffffb8144c077900
EFLAGS: 00010282
Jul  8 16:34:17 localhost kernel: [222252.785639] RAX: 6b6b6b6b6b6b6b6b RBX:
ffff961478c510c0 RCX: 000000000015000b
Jul  8 16:34:17 localhost kernel: [222252.785640] RDX: 000000000000006b RSI:
0000000000000000 RDI: 0000000000000246
Jul  8 16:34:17 localhost kernel: [222252.785641] RBP: ffffb8144c077970 R08:
ffffffffc23df010 R09: ffff961478c51100
Jul  8 16:34:17 localhost kernel: [222252.785642] R10: ffff961478c510c0 R11:
0000000000000001 R12: ffff9611ee0731c0
Jul  8 16:34:17 localhost kernel: [222252.785643] R13: 0000000000000002 R14:
ffff961478c51540 R15: 0000000000000000
Jul  8 16:34:17 localhost kernel: [222252.785645] FS:  00007ffff7bafb80(0000)
GS:ffff9615ca000000(0000) knlGS:0000000000000000
Jul  8 16:34:17 localhost kernel: [222252.785646] CS:  0010 DS: 0000 ES: 0000
CR0: 0000000080050033
Jul  8 16:34:17 localhost kernel: [222252.785647] CR2: 0000561e9a330e8c CR3:
0000000403a10004 CR4: 00000000001606f0
Jul  8 16:34:17 localhost kernel: [222252.785648] Call Trace:
Jul  8 16:34:17 localhost kernel: [222252.785654]  ? nfqnl_reinject+0x38/0x50
[nfnetlink_queue]
Jul  8 16:34:17 localhost kernel: [222252.785656]  nfqnl_reinject+0x38/0x50
[nfnetlink_queue]
Jul  8 16:34:17 localhost kernel: [222252.785658] 
nfqnl_recv_verdict+0x28d/0x4c0 [nfnetlink_queue]
Jul  8 16:34:17 localhost kernel: [222252.785662] 
nfnetlink_rcv_msg+0x149/0x260 [nfnetlink]
Jul  8 16:34:17 localhost kernel: [222252.785668]  ?
cred_has_capability+0x7c/0x120
Jul  8 16:34:17 localhost kernel: [222252.785670]  ?
nfnetlink_net_exit_batch+0x60/0x60 [nfnetlink]
Jul  8 16:34:17 localhost kernel: [222252.785674]  netlink_rcv_skb+0x49/0x110
Jul  8 16:34:17 localhost kernel: [222252.785676]  nfnetlink_rcv+0x69/0x149
[nfnetlink]
Jul  8 16:34:17 localhost kernel: [222252.785678]  netlink_unicast+0x191/0x230
Jul  8 16:34:17 localhost kernel: [222252.785680]  netlink_sendmsg+0x243/0x480
Jul  8 16:34:17 localhost kernel: [222252.785684]  sock_sendmsg+0x5e/0x60
Jul  8 16:34:17 localhost kernel: [222252.785686]  ____sys_sendmsg+0x1ef/0x260
Jul  8 16:34:17 localhost kernel: [222252.785688]  ?
copy_msghdr_from_user+0x5c/0x90
Jul  8 16:34:17 localhost kernel: [222252.785691]  ? try_to_wake_up+0x218/0x660
Jul  8 16:34:17 localhost kernel: [222252.785692]  ___sys_sendmsg+0x81/0xc0
Jul  8 16:34:17 localhost kernel: [222252.785695]  ? pty_write+0x79/0xa0
Jul  8 16:34:17 localhost kernel: [222252.785698]  __sys_sendmsg+0x59/0xa0
Jul  8 16:34:17 localhost kernel: [222252.785701]  do_syscall_64+0x52/0x180
Jul  8 16:34:17 localhost kernel: [222252.785704] 
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jul  8 16:34:17 localhost kernel: [222252.785706] RIP: 0033:0x7ffff7ebe7b3
Jul  8 16:34:17 localhost kernel: [222252.785708] Code: c7 c0 ff ff ff ff eb bb
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75
14 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 89
54 24 1c 48
Jul  8 16:34:17 localhost kernel: [222252.785709] RSP: 002b:00007fffffffd278
EFLAGS: 00000246 ORIG_RAX: 000000000000002e
Jul  8 16:34:17 localhost kernel: [222252.785710] RAX: ffffffffffffffda RBX:
00007fffffffd320 RCX: 00007ffff7ebe7b3
Jul  8 16:34:17 localhost kernel: [222252.785711] RDX: 0000000000000000 RSI:
00007fffffffd290 RDI: 0000000000000003
Jul  8 16:34:17 localhost kernel: [222252.785712] RBP: 0000000000000000 R08:
0000000000000014 R09: 0000000000000301
Jul  8 16:34:17 localhost kernel: [222252.785713] R10: 0000000000000001 R11:
0000000000000246 R12: 0000000000000000
Jul  8 16:34:17 localhost kernel: [222252.785714] R13: 0000555555559928 R14:
0000000000000000 R15: 0000000000000000
Jul  8 16:34:17 localhost kernel: [222252.785716] Modules linked in: tun
nls_ascii nls_cp437 vfat fat mmc_block uas usb_storage ctr ccm hid_generic
usbhid hid udp_diag tcp_diag inet_diag xt_mark xt_NFQUEUE nfnetlink_queue veth
xt_nat nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype xt_conntrack
br_netfilter overlay xt_CHECKSUM nft_chain_nat xt_MASQUERADE nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_counter vboxnetadp(OE)
vboxnetflt(OE) xt_tcpudp nft_compat vboxdrv(OE) bridge stp llc nf_tables
nfnetlink fuse uinput binfmt_misc intel_rapl_msr intel_rapl_common mei_wdt
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iwldvm kvm mac80211
libarc4 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi iwlwifi
irqbypass intel_cstate intel_uncore intel_rapl_perf joydev snd_hda_intel
nvidia_drm(POE) snd_intel_dspcfg pcspkr wmi_bmof cfg80211 serio_raw
snd_hda_codec sg thinkpad_acpi tpm_tis drm_kms_helper iTCO_wdt snd_hda_core
iTCO_vendor_support cec nvram watchdog ledtrig_audio tpm_tis_core drm snd_hwdep
Jul  8 16:34:17 localhost kernel: [222252.785744]  rfkill mei_me snd_pcm tpm ac
evdev rng_core nvidia_modeset(POE) snd_timer mei snd soundcore nvidia(POE)
ipmi_devintf ipmi_msghandler loop parport_pc ppdev lp parport ip_tables
x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_decompress
zstd_compress dm_crypt dm_mod raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0
multipath linear md_mod sd_mod t10_pi crc_t10dif crct10dif_generic
crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel
ahci libahci aesni_intel libaes crypto_simd libata cryptd glue_helper psmouse
scsi_mod i2c_i801 firewire_ohci firewire_core crc_itu_t sdhci_pci cqhci sdhci
lpc_ich mfd_core xhci_pci ehci_pci mmc_core ehci_hcd xhci_hcd e1000e usbcore
ptp pps_core usb_common wmi battery video button
Jul  8 16:34:17 localhost kernel: [222252.785775] ---[ end trace
355093f002fed35a ]---
Jul  8 16:34:17 localhost kernel: [222252.785780] RIP:
0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jul  8 16:34:17 localhost kernel: [222252.785781] Code: fd ff ff 49 89 c6 48 85
c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29
48 01 d0 74 24 48 8b 00 <f6> 80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f
84 32 01 00
Jul  8 16:34:17 localhost kernel: [222252.785782] RSP: 0018:ffffb81442867900
EFLAGS: 00010286
Jul  8 16:34:17 localhost kernel: [222252.785784] RAX: 6b6b6b6b6b6b6b6b RBX:
ffff9614c8c8f540 RCX: 000000000015000b
Jul  8 16:34:17 localhost kernel: [222252.785785] RDX: 000000000000006b RSI:
0000000000000000 RDI: 0000000000000246
Jul  8 16:34:17 localhost kernel: [222252.785785] RBP: ffffb81442867970 R08:
ffffffffc23df010 R09: ffff9614c8c8f600
Jul  8 16:34:17 localhost kernel: [222252.785786] R10: ffff9614c8c8f540 R11:
0000000000000001 R12: ffff96159f0a1080
Jul  8 16:34:17 localhost kernel: [222252.785787] R13: 0000000000000002 R14:
ffff9614c8c8f240 R15: 0000000000000000
Jul  8 16:34:17 localhost kernel: [222252.785788] FS:  00007ffff7bafb80(0000)
GS:ffff9615ca000000(0000) knlGS:0000000000000000
Jul  8 16:34:17 localhost kernel: [222252.785789] CS:  0010 DS: 0000 ES: 0000
CR0: 0000000080050033
Jul  8 16:34:17 localhost kernel: [222252.785790] CR2: 0000561e9a330e8c CR3:
0000000403a10004 CR4: 00000000001606f0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200708/6d001cfb/attachment-0001.html>

More information about the netfilter-buglog mailing list