| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 May 2017 17:41:57 +0800 (CST)
From: "Gao Feng" <gfree.wind@....163.com>
To: "Florian Westphal" <fw@...len.de>
Cc: dsa@...ulusnetworks.com, shm@...ulusnetworks.com,
davem@...emloft.net, netdev@...r.kernel.org,
"gfree.wind@...mail.com" <gfree.wind@...mail.com>
Subject: Re:Re: [PATCH net] driver: vrf: Fix one possible use-after-free
issue
At 2017-05-09 17:21:02, "Florian Westphal" <fw@...len.de> wrote:
>gfree.wind@....163.com <gfree.wind@....163.com> wrote:
>> When one netfilter rule or hook stoles the skb and return NF_STOLEN,
>> it means the skb is taken by the rule, and other modules should not
>> touch this skb ever. Maybe the skb is queued or freed directly by the
>> rule.
>>
>> Now uses the nf_hook instead of NF_HOOK to get the result of netfilter,
>> and check the return value of nf_hook. Only when its value equals 1, it
>> means the skb could go ahead. Or reset the skb as NULL.
>>
>> BTW, because vrf_rcv_finish is empty function, so needn't invoke it
>> even though nf_hook returns 1.
>
>Thats a bug then.
>
>The okfn (if called) takes ownership of skb and must free it eventually.
>Otherwise userspace queueing leaks skb on reinjection.
>
>(see nf_reinject() and its use of okfn()).
Thanks, I only thought about the stolen case like synproxy which would free the skb directly,
and forget the userspace could reinject the skb.
I would update the patch.
Best Regards
Feng
Powered by blists - more mailing lists