| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Jun 2017 21:25:15 +0200
From: Richard Weinberger <richard@....at>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Cc: Pablo Neira Ayuso <pablo@...filter.org>, fw@...len.de,
David Miller <davem@...emloft.net>,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
David Gstir <david@...ma-star.at>, kaber@...sh.net,
"keescook@...omium.org" <keescook@...omium.org>
Subject: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID
Hi!
I noticed that nf_conntrack leaks kernel addresses, it uses the memory address
as identifier used for generating conntrack and expect ids..
Since these ids are also visible to unprivileged users via network namespaces
I suggest reverting these commits:
commit 7f85f914721ffcef382a57995182916bd43d8a65
Author: Patrick McHardy <kaber@...sh.net>
Date: Fri Sep 28 14:41:27 2007 -0700
[NETFILTER]: nf_conntrack: kill unique ID
Remove the per-conntrack ID, its not necessary anymore for dumping.
For compatiblity reasons we send the address of the conntrack to
userspace as ID.
Signed-off-by: Patrick McHardy <kaber@...sh.net>
Signed-off-by: David S. Miller <davem@...emloft.net>
commit 3583240249ef354760e04ae49bd7b462a638f40c
Author: Patrick McHardy <kaber@...sh.net>
Date: Fri Sep 28 14:41:50 2007 -0700
[NETFILTER]: nf_conntrack_expect: kill unique ID
Similar to the conntrack ID, the per-expectation ID is not needed
anymore, kill it.
Signed-off-by: Patrick McHardy <kaber@...sh.net>
Signed-off-by: David S. Miller <davem@...emloft.net>
Thanks,
//richard
Powered by blists - more mailing lists