lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 May 2017 12:13:34 -0400 (EDT) From: David Miller <davem@...emloft.net> To: gfree.wind@....163.com Cc: dsa@...ulusnetworks.com, shm@...ulusnetworks.com, fw@...len.de, netdev@...r.kernel.org Subject: Re: [PATCH net v2] driver: vrf: Fix one possible use-after-free issue From: gfree.wind@....163.com Date: Tue, 9 May 2017 18:27:33 +0800 > From: Gao Feng <gfree.wind@....163.com> > > The current codes only deal with the case that the skb is dropped, it > may meet one use-after-free issue when NF_HOOK returns 0 that means > the skb is stolen by one netfilter rule or hook. > > When one netfilter rule or hook stoles the skb and return NF_STOLEN, > it means the skb is taken by the rule, and other modules should not > touch this skb ever. Maybe the skb is queued or freed directly by the > rule. > > Now uses the nf_hook instead of NF_HOOK to get the result of netfilter, > and check the return value of nf_hook. Only when its value equals 1, it > means the skb could go ahead. Or reset the skb as NULL. > > BTW, because vrf_rcv_finish is empty function, so needn't invoke it > even though nf_hook returns 1. But we need to modify vrf_rcv_finish > to deal with the NF_STOLEN case. > > There are two cases when skb is stolen. > 1. The skb is stolen and freed directly. > There is nothing we need to do, and vrf_rcv_finish isn't invoked. > 2. The skb is queued and reinjected again. > The vrf_rcv_finish would be invoked as okfn, so need to free the > skb in it. > > Signed-off-by: Gao Feng <gfree.wind@....163.com> Applied and queued up for -stable, thanks.
Powered by blists - more mailing lists