Re: [PATCH nf] netfilter: ebtables: reject blobs that don't provide all entry points

[john . p . donnelly]

On 8/29/22 9:03 AM, Florian Westphal wrote:
> john.p.donnelly@xxxxxxxxxx <john.p.donnelly@xxxxxxxxxx> wrote:
> > On 8/20/22 12:35 PM, Florian Westphal wrote:
> > > For some reason ebtables reject blobs that provide entry points that are
> > > not supported by the table.
> > >
> > > What it should instead reject is the opposite, i.e. rulesets that
> > > DO NOT provide an entry point that is supported by the table.
> > >
> > > t->valid_hooks is the bitmask of hooks (input, forward ...) that will
> > > see packets.  So, providing an entry point that is not support is
> > > harmless (never called/used), but the reverse is NOT, this will cause
> > > crash because the ebtables traverser doesn't expect a NULL blob for
> > > a location its receiving packets for.
> > >
> > > Instead of fixing all the individual checks, do what iptables is doing and
> > > reject all blobs that doesn't provide the expected hooks.
> > >
> > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
> > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> >
> > Hi,
> >
> >   Could you please add the panic stack mentioned above  and syzkaller
> > reproducer ID to the commit text ?
>
> I did not see a reproducer ID.  What ended up in the tree is this:
>
> https://urldefense.com/v3/__https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7997eff82828304b780dc0a39707e1946d6f1ebf__;!!ACWV5N9M2RV99hQ!JxonjgQUi7Mbcd-ouxRwPgu8Jwl6ej2rO4pTvYMtteWexclV5-hciu9e5rgtkXoB7dyAdLCyZ4EQ9HQj$

Thank you !