| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 May 2017 12:13:34 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: gfree.wind@....163.com
Cc: dsa@...ulusnetworks.com, shm@...ulusnetworks.com, fw@...len.de,
netdev@...r.kernel.org
Subject: Re: [PATCH net v2] driver: vrf: Fix one possible use-after-free
issue
From: gfree.wind@....163.com
Date: Tue, 9 May 2017 18:27:33 +0800
> From: Gao Feng <gfree.wind@....163.com>
>
> The current codes only deal with the case that the skb is dropped, it
> may meet one use-after-free issue when NF_HOOK returns 0 that means
> the skb is stolen by one netfilter rule or hook.
>
> When one netfilter rule or hook stoles the skb and return NF_STOLEN,
> it means the skb is taken by the rule, and other modules should not
> touch this skb ever. Maybe the skb is queued or freed directly by the
> rule.
>
> Now uses the nf_hook instead of NF_HOOK to get the result of netfilter,
> and check the return value of nf_hook. Only when its value equals 1, it
> means the skb could go ahead. Or reset the skb as NULL.
>
> BTW, because vrf_rcv_finish is empty function, so needn't invoke it
> even though nf_hook returns 1. But we need to modify vrf_rcv_finish
> to deal with the NF_STOLEN case.
>
> There are two cases when skb is stolen.
> 1. The skb is stolen and freed directly.
> There is nothing we need to do, and vrf_rcv_finish isn't invoked.
> 2. The skb is queued and reinjected again.
> The vrf_rcv_finish would be invoked as okfn, so need to free the
> skb in it.
>
> Signed-off-by: Gao Feng <gfree.wind@....163.com>
Applied and queued up for -stable, thanks.
Powered by blists - more mailing lists