lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 29 Oct 2021 17:53:03 -0600
From:   David Ahern <dsahern@...il.com>
To:     msizanoen <msizanoen@...labs.xyz>, davem@...emloft.net,
        yoshfuji@...ux-ipv6.org, dsahern@...nel.org, kuba@...nel.org
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: Kernel leaks memory in ip6_dst_cache when suppress_prefix is
 present in ipv6 routing rules and a `fib` rule is present in ipv6 nftables
 rules

On 10/26/21 8:24 AM, msizanoen wrote:
> The kernel leaks memory when a `fib` rule is present in ipv6 nftables
> firewall rules and a suppress_prefix rule
> is present in the IPv6 routing rules (used by certain tools such as
> wg-quick). In such scenarios, every incoming
> packet will leak an allocation in ip6_dst_cache slab cache.
> 
> After some hours of `bpftrace`-ing and source code reading, I tracked
> down the issue to this commit:
>     https://github.com/torvalds/linux/commit/ca7a03c4175366a92cee0ccc4fec0038c3266e26
> 
> 
> The problem with that patch is that the generic args->flags always have
> FIB_LOOKUP_NOREF set[1][2] but the
> ip6-specific flag RT6_LOOKUP_F_DST_NOREF might not be specified, leading
> to fib6_rule_suppress not
> decreasing the refcount when needed. This can be fixed by exposing the
> protocol-specific flags to the
> protocol specific `suppress` function, and check the protocol-specific
> `flags` argument for
> RT6_LOOKUP_F_DST_NOREF instead of the generic FIB_LOOKUP_NOREF when
> decreasing the refcount.
> 
> How to reproduce:
> - Add the following nftables rule to a prerouting chain: `meta nfproto
> ipv6 fib saddr . mark . iif oif missing drop`

exact command? I have not played with nftables. Do you have a stack
trace of where the dst reference is getting taken?


> - Run `sudo ip -6 rule add table main suppress_prefixlength 0`
> - Watch `sudo slabtop -o | grep ip6_dst_cache` memory usage increase
> with every incoming ipv6 packet
> 
> Example
> patch:https://gist.github.com/msizanoen1/36a2853467a9bd34fadc5bb3783fde0f
> 
> [1]:https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71
> 
> [2]:https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99
> 
> 
>

Powered by blists - more mailing lists