nft_lookup crash when running DDOS attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Bodong Wang |
Bug Description
* Explain the bug
Running DDOS test on tcp port 22 will trigger kernel crash.
* Brief explanation of fixes
Do not update stateful expressions if lookup is inverted
* How to test
Configuration nftables with config file below:
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
jump filter_ssh
}
chain filter_ssh {
tcp dport { 22 } ct state new accept
}
}
* {22}: {} is mandatory to repro
If we don’t add {}, nft_lookup_eval function is never called and kernel crush isn’t reproduced.
Then apply nft by doing:
# nft -f temp_nftables.conf
Start hping3 from peer:
# hping3 -I {Host Device} -p 22 -d 52 {SmartNIC IP Address} --flood
DPU side will crash with kernel call trace without this fix.
CVE References
Changed in linux-bluefield (Ubuntu Focal): | |
assignee: | nobody → Bodong Wang (bodong-wang) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
This bug is awaiting verification that the linux-bluefield /5.4.0- 1058.64 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!