lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Jan 2015 15:28:12 +0100 From: Jiri Slaby <jslaby@...e.cz> To: stable@...r.kernel.org Cc: linux-kernel@...r.kernel.org, Thomas Graf <tgraf@...g.ch>, "David S. Miller" <davem@...emloft.net>, Jiri Slaby <jslaby@...e.cz> Subject: [PATCH 3.12 062/176] net: Reset secmark when scrubbing packet From: Thomas Graf <tgraf@...g.ch> 3.12-stable review patch. If anyone has any objections, please let me know. =============== [ Upstream commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 ] skb_scrub_packet() is called when a packet switches between a context such as between underlay and overlay, between namespaces, or between L3 subnets. While we already scrub the packet mark, connection tracking entry, and cached destination, the security mark/context is left intact. It seems wrong to inherit the security context of a packet when going from overlay to underlay or across forwarding paths. Signed-off-by: Thomas Graf <tgraf@...g.ch> Acked-by: Flavio Leitner <fbl@...close.org> Signed-off-by: David S. Miller <davem@...emloft.net> Signed-off-by: Jiri Slaby <jslaby@...e.cz> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a8cf33868f9c..17313d17a923 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3523,6 +3523,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet) skb->local_df = 0; skb_dst_drop(skb); skb->mark = 0; + skb_init_secmark(skb); secpath_reset(skb); nf_reset(skb); nf_reset_trace(skb); -- 2.2.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists