On Wed, Jun 21, 2023 at 1:14 PM Florian Westphal fw@strlen.de wrote:
Florent Revest revest@chromium.org wrote:
On Tue, Jun 20, 2023 at 8:35 AM Pablo Neira Ayuso pablo@netfilter.org wrote:
On Thu, Jun 15, 2023 at 05:29:18PM +0200, Florent Revest wrote:
If register_nf_conntrack_bpf() fails (for example, if the .BTF section contains an invalid entry), nf_conntrack_init_start() calls nf_conntrack_helper_fini() as part of its cleanup path and nf_ct_helper_hash gets freed.
Further netfilter modules like netfilter_conntrack_ftp don't check whether nf_conntrack initialized correctly and call nf_conntrack_helpers_register() which accesses the freed nf_ct_helper_hash and causes a uaf.
This patch guards nf_conntrack_helper_register() from accessing freed/uninitialized nf_ct_helper_hash maps and fixes a boot-time use-after-free.
How could this possibly happen?
Here is one way to reproduce this bug:
# Use nf/main git clone git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git cd nf
# Start from a minimal config make LLVM=1 LLVM_IAS=0 defconfig
# Enable KASAN, BTF and nf_conntrack_ftp scripts/config -e KASAN -e BPF_SYSCALL -e DEBUG_INFO -e DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT -e DEBUG_INFO_BTF -e NF_CONNTRACK_FTP make LLVM=1 LLVM_IAS=0 olddefconfig
# Build without the LLVM integrated assembler make LLVM=1 LLVM_IAS=0 -j `nproc`
(Note that the use of LLVM_IAS=0, KASAN and BTF is just to trigger a bug in BTF that will be fixed by https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=97241... Independently of that specific BTF bug, it shows how an error in nf_conntrack_bpf can cause a boot-time uaf in netfilter)
Then, booting gives me:
[ 4.624666] BPF: [13893] FUNC asan.module_ctor [ 4.625611] BPF: type_id=1 [ 4.626176] BPF: [ 4.626601] BPF: Invalid name [ 4.627208] BPF: [ 4.627723] ================================================================== [ 4.628610] BUG: KASAN: slab-use-after-free in nf_conntrack_helper_register+0x129/0x2f0 [ 4.628610] Read of size 8 at addr ffff888102d24000 by task swapper/0/1 [ 4.628610]
Isn't that better than limping along?
Note that this only panics because KASAN instrumentation notices the use-after-free and makes a lot of noise about it. In a non-debug boot, this would just silently corrupt random memory instead.
in this case an initcall is failing and I think panic is preferrable to a kernel that behaves like NF_CONNTRACK_FTP=n.
In that case, it seems like what you'd want is nf_conntrack_standalone_init() to BUG() instead of returning an error then ? (so you'd never get to NF_CONNTRACK_FTP or any other if nf_conntrack failed to initialize) If this is the prefered behavior, then sure, why not.
AFAICS this problem is specific to NF_CONNTRACK_FTP=y (or any other helper module, for that matter).
Even with NF_CONNTRACK_FTP=m, the initialization failure in nf_conntrack_standalone_init() still happens. Therefore, the helper hashtable gets freed and when the nf_conntrack_ftp.ko module gets insmod-ed, it calls nf_conntrack_helpers_register() and this still causes a use-after-free.
If you disagree please resend with a commit message that makes it clear that this is only relevant for the 'builtin' case.