Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Mon, 2017-04-03 at 15:14 +0300, Denys Fedoryshchenko wrote: > On 2017-04-03 15:09, Eric Dumazet wrote: > > On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote: > > > >> I modified patch a little as: > >> if (th->doff * 4 < sizeof(_tcph)) { > >> par->hotdrop = true; > >>

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-03 15:09, Eric Dumazet wrote: On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote: I modified patch a little as: if (th->doff * 4 < sizeof(_tcph)) { par->hotdrop = true; WARN_ON_ONCE(!tcpinfo->option); return false; } And it did triggered WARN once at morning, and

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Mon, 2017-04-03 at 11:10 +0300, Denys Fedoryshchenko wrote: > I modified patch a little as: > if (th->doff * 4 < sizeof(_tcph)) { > par->hotdrop = true; > WARN_ON_ONCE(!tcpinfo->option); > return false; > } > > And it did triggered WARN once at morning, and didn't hit KASAN. I will >

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-02 20:26, Eric Dumazet wrote: On Sun, 2017-04-02 at 10:14 -0700, Eric Dumazet wrote: Could that be that netfilter does not abort earlier if TCP header is completely wrong ? Yes, I wonder if this patch would be better, unless we replicate the th->doff sanity check in all netfilter

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Sun, 2017-04-02 at 10:14 -0700, Eric Dumazet wrote: > Could that be that netfilter does not abort earlier if TCP header is > completely wrong ? > Yes, I wonder if this patch would be better, unless we replicate the th->doff sanity check in all netfilter modules dissecting TCP frames. diff

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Sun, 2017-04-02 at 19:52 +0300, Denys Fedoryshchenko wrote: > On 2017-04-02 15:32, Eric Dumazet wrote: > > On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote: > >> > */ > >> I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for > >> curiosity, if this condition are

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-02 15:32, Eric Dumazet wrote: On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote: > */ I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for curiosity, if this condition are triggered. Is it fine like that? Sure. It didnt triggered WARN_ON, and with both

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Sun, 2017-04-02 at 15:25 +0300, Denys Fedoryshchenko wrote: > > */ > I will add also WARN_ON_ONCE(tcp_hdrlen >= 15 * 4) before, for > curiosity, if this condition are triggered. Is it fine like that? Sure. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-02 15:19, Eric Dumazet wrote: On Sun, 2017-04-02 at 04:54 -0700, Eric Dumazet wrote: On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote: > Eric Dumazet wrote: > > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt,

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Sun, 2017-04-02 at 04:54 -0700, Eric Dumazet wrote: > On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote: > > Eric Dumazet wrote: > > > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += > > > optlen(opt, i)) { > > > + for (i = sizeof(struct

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Sun, 2017-04-02 at 13:45 +0200, Florian Westphal wrote: > Eric Dumazet wrote: > > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += > > optlen(opt, i)) { > > + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += > > optlen(opt,

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On 2017-04-02 14:45, Florian Westphal wrote: Eric Dumazet wrote: - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { if (opt[i]

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

Eric Dumazet wrote: > - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += > optlen(opt, i)) { > + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - TCPOLEN_MSS; i += > optlen(opt, i)) { > if (opt[i] == TCPOPT_MSS && opt[i+1] ==

Re: KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

On Sun, 2017-04-02 at 10:43 +0300, Denys Fedoryshchenko wrote: > Repost, due being sleepy missed few important points. > > I am searching reasons of crashes for multiple conntrack enabled > servers, usually they point to conntrack, but i suspect use after free > might be somewhere else, > so i

KASAN, xt_TCPMSS finally found nasty use-after-free bug? 4.10.8

Repost, due being sleepy missed few important points. I am searching reasons of crashes for multiple conntrack enabled servers, usually they point to conntrack, but i suspect use after free might be somewhere else, so i tried to enable KASAN. And seems i got something after few hours, and it