Bug#933265: linux-image-4.19.0-5-arm64: NULL pointer dereference at nf_tables_newrule
Package: src:linux
Version: 4.19.37-5+deb10u1
Severity: normal
Dear Maintainer,
I've discovered recently that loading the following set of iptables rules with iptables-nft-restore:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp --icmp-type 0 -m comment --comment "Ping" -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -m comment --comment "Ping" -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m comment --comment "Ping" -j ACCEPT
-A INPUT -p icmp --icmp-type any -m limit --limit 10/sec -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ssh --hashlimit-htable-expire 65536 -m comment --comment "SSH Blocker" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "SSH Blocker" -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p udp -m udp -d 224/4 -j REJECT
COMMIT
Triggers the following NULL pointer dereference:
[ 181.133805] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
[ 181.135156] Mem abort info:
[ 181.135313] ESR = 0x96000004
[ 181.135484] Exception class = DABT (current EL), IL = 32 bits
[ 181.135697] SET = 0, FnV = 0
[ 181.135819] EA = 0, S1PTW = 0
[ 181.135953] Data abort info:
[ 181.136075] ISV = 0, ISS = 0x00000004
[ 181.136218] CM = 0, WnR = 0
[ 181.136569] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000006b2d46d6
[ 181.137242] [0000000000000028] pgd=0000000000000000
[ 181.137752] Internal error: Oops: 96000004 [#1] SMP
[ 181.138038] Modules linked in: nft_limit nft_counter ipt_REJECT nf_reject_ipv4 xt_hashlimit xt_tcpudp xt_limit xt_comment ip_tables xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nft_compat x_tables nf_tables nfnetlink autofs4 fuse 9p fscache nls_ascii nls_cp437 vfat fat evdev aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce gf128mul sha2_ce sha256_arm64 sha1_ce efi_pstore gpio_keys efivars 9pnet_virtio virtio_net 9pnet net_failover failover qemu_fw_cfg ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb aes_arm64 dm_mod virtio_blk virtio_rng rng_core virtio_mmio virtio_pci virtio_ring virtio
[ 181.140242] Process iptables-restor (pid: 1886, stack limit = 0x00000000eeeb9f00)
[ 181.140676] CPU: 0 PID: 1886 Comm: iptables-restor Not tainted 4.19.0-5-arm64 #1 Debian 4.19.37-5+deb10u1
[ 181.140999] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
[ 181.141423] pstate: 80000005 (Nzcv daif -PAN -UAO)
[ 181.142111] pc : nf_tables_newrule+0x4b4/0x718 [nf_tables]
[ 181.142331] lr : nf_tables_newrule+0x4bc/0x718 [nf_tables]
[ 181.142532] sp : ffff0000099037a0
[ 181.142672] x29: ffff0000099037a0 x28: 0000000000000003
[ 181.142885] x27: 0000000000000000 x26: ffff294393bd8840
[ 181.143084] x25: ffffa0defcc901b0 x24: 00000000fffffff5
[ 181.143287] x23: ffffa0defd490b00 x22: ffff000008a35878
[ 181.143480] x21: ffffa0defcc90120 x20: 0000000000000002
[ 181.143679] x19: ffff294393aa9708 x18: ffff294393ac7220
[ 181.143878] x17: 0000000000000000 x16: 0000000000000006
[ 181.144080] x15: 0000000000000000 x14: ffffa0defde99860
[ 181.144267] x13: ffffa0defde996d0 x12: 0000000000000028
[ 181.144466] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f
[ 181.144674] x9 : fefeff73686c686b x8 : 0000294317db3b7c
[ 181.144876] x7 : fefefefefefefefe x6 : 0000000000808080
[ 181.145075] x5 : 0000000000000000 x4 : ffff29431f6bb968
[ 181.145276] x3 : 0000000000000006 x2 : 0000000000000005
[ 181.145479] x1 : 0000000000000006 x0 : 0000000000000000
[ 181.145772] Call trace:
[ 181.145966] nf_tables_newrule+0x4b4/0x718 [nf_tables]
[ 181.146178] nfnetlink_rcv_batch+0x3ec/0x580 [nfnetlink]
[ 181.146388] nfnetlink_rcv+0x138/0x188 [nfnetlink]
[ 181.146810] netlink_unicast+0x1d0/0x260
[ 181.146968] netlink_sendmsg+0x1b0/0x358
[ 181.147128] sock_sendmsg+0x4c/0x68
[ 181.147273] ___sys_sendmsg+0x288/0x2c8
[ 181.147419] __sys_sendmsg+0x7c/0xd0
[ 181.147559] __arm64_sys_sendmsg+0x2c/0x38
[ 181.147726] el0_svc_common+0x94/0x108
[ 181.147881] el0_svc_handler+0x38/0x78
[ 181.148037] el0_svc+0x8/0xc
[ 181.148314] Code: d503201f f94002a0 b4000080 f9402c00 (f9401400)
[ 181.148838] ---[ end trace 04c9f90c72f843fa ]---
I can reproduce this problem on both QEMU and a real hardware, and as far as I can tell both aarch64 and armhf are affected.
Sincerely yours, Reco
-- Package-specific info:
** Version:
Linux version 4.19.0-5-arm64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.19.0-5-arm64 root=/dev/mapper/stretch--arm64--vg-root ro quiet console=ttyAMA0
** Not tainted
** Kernel log:
Unable to read kernel log; any relevant messages should be attached
** Model information
** Loaded modules:
nft_counter
ipt_REJECT
nf_reject_ipv4
xt_tcpudp
nft_compat
nf_tables
x_tables
nfnetlink
tcp_diag
inet_diag
autofs4
fuse
9p
fscache
nls_ascii
nls_cp437
vfat
fat
evdev
aes_ce_blk
crypto_simd
cryptd
aes_ce_cipher
ghash_ce
gf128mul
sha2_ce
sha256_arm64
sha1_ce
efi_pstore
gpio_keys
efivars
9pnet_virtio
virtio_net
net_failover
9pnet
failover
qemu_fw_cfg
ext4
crc16
mbcache
jbd2
crc32c_generic
fscrypto
ecb
aes_arm64
dm_mod
virtio_blk
virtio_rng
rng_core
virtio_mmio
virtio_pci
virtio_ring
virtio
** PCI devices:
00:00.0 Host bridge [0600]: Red Hat, Inc. QEMU PCIe Host bridge [1b36:0008]
Subsystem: Red Hat, Inc QEMU PCIe Host bridge [1af4:1100]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
00:01.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
Subsystem: Red Hat, Inc Virtio network device [1af4:0001]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 40
Region 0: I/O ports at f080 [size=32]
Region 1: Memory at 3ee12000 (32-bit, non-prefetchable) [size=4K]
Region 4: Memory at 3ee00000 (64-bit, prefetchable) [size=16K]
Expansion ROM at fffc0000 [disabled] [size=256K]
Capabilities: [98] MSI-X: Enable+ Count=3 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00000800
Capabilities: [84] Vendor Specific Information: VirtIO: <unknown>
BAR=0 offset=00000000 size=00000000
Capabilities: [70] Vendor Specific Information: VirtIO: Notify
BAR=4 offset=00003000 size=00001000 multiplier=00000004
Capabilities: [60] Vendor Specific Information: VirtIO: DeviceCfg
BAR=4 offset=00002000 size=00001000
Capabilities: [50] Vendor Specific Information: VirtIO: ISR
BAR=4 offset=00001000 size=00001000
Capabilities: [40] Vendor Specific Information: VirtIO: CommonCfg
BAR=4 offset=00000000 size=00001000
Kernel driver in use: virtio-pci
Kernel modules: virtio_pci
00:02.0 Unclassified device [0002]: Red Hat, Inc Virtio filesystem [1af4:1009]
Subsystem: Red Hat, Inc Virtio filesystem [1af4:0009]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 41
Region 0: I/O ports at f060 [size=32]
Region 1: Memory at 3ee11000 (32-bit, non-prefetchable) [size=4K]
Region 4: Memory at 3ee0c000 (64-bit, prefetchable) [size=16K]
Capabilities: [98] MSI-X: Enable+ Count=2 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00000800
Capabilities: [84] Vendor Specific Information: VirtIO: <unknown>
BAR=0 offset=00000000 size=00000000
Capabilities: [70] Vendor Specific Information: VirtIO: Notify
BAR=4 offset=00003000 size=00001000 multiplier=00000004
Capabilities: [60] Vendor Specific Information: VirtIO: DeviceCfg
BAR=4 offset=00002000 size=00001000
Capabilities: [50] Vendor Specific Information: VirtIO: ISR
BAR=4 offset=00001000 size=00001000
Capabilities: [40] Vendor Specific Information: VirtIO: CommonCfg
BAR=4 offset=00000000 size=00001000
Kernel driver in use: virtio-pci
Kernel modules: virtio_pci
00:03.0 Unclassified device [00ff]: Red Hat, Inc Virtio RNG [1af4:1005]
Subsystem: Red Hat, Inc Virtio RNG [1af4:0004]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 42
Region 0: I/O ports at f040 [size=32]
Region 4: Memory at 3ee08000 (64-bit, prefetchable) [size=16K]
Capabilities: [84] Vendor Specific Information: VirtIO: <unknown>
BAR=0 offset=00000000 size=00000000
Capabilities: [70] Vendor Specific Information: VirtIO: Notify
BAR=4 offset=00003000 size=00001000 multiplier=00000004
Capabilities: [60] Vendor Specific Information: VirtIO: DeviceCfg
BAR=4 offset=00002000 size=00001000
Capabilities: [50] Vendor Specific Information: VirtIO: ISR
BAR=4 offset=00001000 size=00001000
Capabilities: [40] Vendor Specific Information: VirtIO: CommonCfg
BAR=4 offset=00000000 size=00001000
Kernel driver in use: virtio-pci
Kernel modules: virtio_pci
00:04.0 SCSI storage controller [0100]: Red Hat, Inc Virtio block device [1af4:1001]
Subsystem: Red Hat, Inc Virtio block device [1af4:0002]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 43
Region 0: I/O ports at f000 [size=64]
Region 1: Memory at 3ee10000 (32-bit, non-prefetchable) [size=4K]
Region 4: Memory at 3ee04000 (64-bit, prefetchable) [size=16K]
Capabilities: [98] MSI-X: Enable+ Count=2 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00000800
Capabilities: [84] Vendor Specific Information: VirtIO: <unknown>
BAR=0 offset=00000000 size=00000000
Capabilities: [70] Vendor Specific Information: VirtIO: Notify
BAR=4 offset=00003000 size=00001000 multiplier=00000004
Capabilities: [60] Vendor Specific Information: VirtIO: DeviceCfg
BAR=4 offset=00002000 size=00001000
Capabilities: [50] Vendor Specific Information: VirtIO: ISR
BAR=4 offset=00001000 size=00001000
Capabilities: [40] Vendor Specific Information: VirtIO: CommonCfg
BAR=4 offset=00000000 size=00001000
Kernel driver in use: virtio-pci
Kernel modules: virtio_pci
** USB devices:
not available
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: arm64 (aarch64)
Kernel: Linux 4.19.0-5-arm64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages linux-image-4.19.0-5-arm64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.133
ii kmod 26-1
ii linux-base 4.6
Versions of packages linux-image-4.19.0-5-arm64 recommends:
pn apparmor <none>
pn firmware-linux-free <none>
Versions of packages linux-image-4.19.0-5-arm64 suggests:
pn debian-kernel-handbook <none>
pn linux-doc-4.19 <none>
Versions of packages linux-image-4.19.0-5-arm64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: