Dalegaard says:
The following ruleset, when loaded with 'nft -f bad.txt'
----snip----
flush ruleset
table ip inlinenat {
map sourcemap {
type ipv4_addr : verdict;
}
chain postrouting {
ip saddr vmap @sourcemap accept
}
}
add chain inlinenat test
add element inlinenat sourcemap { 100.123.10.2 : jump test }
----snip----
results in a kernel oops:
BUG: unable to handle kernel paging request at
0000000000001344
IP: [<
ffffffffa07bf704>] nf_tables_check_loops+0x114/0x1f0 [nf_tables]
[...]
Call Trace:
[<
ffffffffa07c2aae>] ? nft_data_init+0x13e/0x1a0 [nf_tables]
[<
ffffffffa07c1950>] nft_validate_register_store+0x60/0xb0 [nf_tables]
[<
ffffffffa07c74b5>] nft_add_set_elem+0x545/0x5e0 [nf_tables]
[<
ffffffffa07bfdd0>] ? nft_table_lookup+0x30/0x60 [nf_tables]
[<
ffffffff8132c630>] ? nla_strcmp+0x40/0x50
[<
ffffffffa07c766e>] nf_tables_newsetelem+0x11e/0x210 [nf_tables]
[<
ffffffff8132c400>] ? nla_validate+0x60/0x80
[<
ffffffffa030d9b4>] nfnetlink_rcv+0x354/0x5a7 [nfnetlink]
Because we forget to fill the net pointer in bind_ctx, so dereferencing
it may cause kernel crash.
Reported-by: Dalegaard <dalegaard@gmail.com>
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
dreg = nft_type_to_reg(set->dtype);
list_for_each_entry(binding, &set->bindings, list) {
struct nft_ctx bind_ctx = {
+ .net = ctx->net,
.afi = ctx->afi,
.table = ctx->table,
.chain = (struct nft_chain *)binding->chain,