In the Linux kernel, the following vulnerability has been resolved:
netfilter: xtIDLETIMER: fix panic that occurs when timertype has garbage value
Currently, when the rule related to IDLETIMER is added, idletimertg timer structure is initialized by kmalloc on executing idletimertgcreate function. However, in this process timer->timertype is not defined to a specific value. Thus, timer->timertype has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timertype using kzalloc instead of kmalloc.
Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed
Splat looks like: BUG: KASAN: user-memory-access in alarmexpiresremaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dumpstacklvl+0x6e/0x9c kasanreport.cold+0x112/0x117 ? alarmexpiresremaining+0x49/0x70 _asanload8+0x86/0xb0 alarmexpiresremaining+0x49/0x70 idletimertgshow+0xe5/0x19b [xtIDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] devattrshow+0x3c/0x60 sysfskfseqshow+0x11d/0x1f0 ? deviceremovebinfile+0x20/0x20 kernfsseqshow+0xa4/0xb0 seqreaditer+0x29c/0x750 kernfsfopreaditer+0x25a/0x2c0 ? _fsnotifyparent+0x3d1/0x570 ? ioviterinit+0x70/0x90 newsyncread+0x2a7/0x3d0 ? _x64sysllseek+0x230/0x230 ? rwverifyarea+0x81/0x150 vfsread+0x17b/0x240 ksysread+0xd9/0x180 ? vfswrite+0x460/0x460 ? dosyscall64+0x16/0xc0 ? lockdephardirqson+0x79/0x120 _x64sysread+0x43/0x50 dosyscall64+0x3b/0xc0 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000