| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190403174441.2l7xyk5o2hftrdm3@salvia>
Date: Wed, 3 Apr 2019 19:44:41 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Rundong Ge <rdong.ge@...il.com>
Cc: kadlec@...ckhole.kfki.hu, fw@...len.de, roopa@...ulusnetworks.com,
nikolay@...ulusnetworks.com, davem@...emloft.net,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
bridge@...ts.linux-foundation.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfilter:bridge: Hold bridge dev for fake_rtable to
avoid the dangling pointer
On Tue, Apr 02, 2019 at 12:56:09PM +0000, Rundong Ge wrote:
> Problem:
> When bridge-nf-call-iptables is enabled, skb_dst(skb) of packets that
> in the nfqueue may be a dangling pointer if user delete the bridge.
> Because packets go through the br_nf_pre_routing_finish will set the dst
> pointer to the br->fake_rtable. But the br struct will be freed
> without the reference check for these skbs.
>
> User impact:
> Kernel panic may happen when user delete the bridge if there are
> continuous traffics go through the nfqueue.
> Here is a panic in my device which using kernel v3.10.
This kernel is _very old_.
Could you provide the steps to reproduce this issue?
Holding the device doesn't seem the way to go to me, we have a of
netdevice_notifier that is dropping packets for an interface that is
gone in nfnetlink_queue. We also drop packets whenever a hook in gone.
So I wonder if this is still a problem in mainline kernels.
Powered by blists - more mailing lists