lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 5 May 2022 20:28:16 -0700
From:   David Ahern <dsahern@...nel.org>
To:     Chris Packham <chris.packham@...iedtelesis.co.nz>,
        davem@...emloft.net, yoshfuji@...ux-ipv6.org, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com, tgraf@...g.ch,
        lokesh.dhoundiyal@...iedtelesis.co.nz
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [net PATCH] ipv4: drop dst in multicast routing path

On 5/4/22 7:00 PM, Chris Packham wrote:
> From: Lokesh Dhoundiyal <lokesh.dhoundiyal@...iedtelesis.co.nz>
> 
> kmemleak reports the following when routing multicast traffic over an
> ipsec tunnel.
> 
> Kmemleak output:
> unreferenced object 0x8000000044bebb00 (size 256):
>   comm "softirq", pid 0, jiffies 4294985356 (age 126.810s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80  ..............t.
>     80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000f83947e0>] __kmalloc+0x1e8/0x300
>     [<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58
>     [<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8
>     [<00000000824f6cf1>] gre_rcv+0x178/0x540
>     [<00000000ccd4e162>] gre_rcv+0x7c/0xd8
>     [<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350
>     [<000000006a483377>] ip_local_deliver_finish+0x54/0x68
>     [<00000000d9271b3a>] ip_local_deliver+0x128/0x168
>     [<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8
>     [<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0
>     [<0000000062e9c336>] __do_softirq+0x1fc/0x3e0
>     [<00000000013d7914>] irq_exit+0xc4/0xe0
>     [<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108
>     [<000000000751eb8e>] handle_int+0x16c/0x178
>     [<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28
> 
> The metadata dst is leaked when ip_route_input_mc() updates the dst for
> the skb. Commit f38a9eb1f77b ("dst: Metadata destinations") correctly
> handled dropping the dst in ip_route_input_slow() but missed the
> multicast case which is handled by ip_route_input_mc(). Drop the dst in
> ip_route_input_mc() avoiding the leak.
> 
> Fixes: f38a9eb1f77b ("dst: Metadata destinations")
> Signed-off-by: Lokesh Dhoundiyal <lokesh.dhoundiyal@...iedtelesis.co.nz>
> Signed-off-by: Chris Packham <chris.packham@...iedtelesis.co.nz>
> ---
> 
> Notes:
>     We started seeing this leak in our scenario after commit c0d59da79534
>     ("ip_gre: Make none-tun-dst gre tunnel store tunnel info as metadat_dst
>     in recv") but there may be other paths that hit the leak so I've set the
>     fixes tag as f38a9eb1f77b ("dst: Metadata destinations").
> 
>  net/ipv4/route.c | 1 +
>  1 file changed, 1 insertion(+)
> 

Reviewed-by: David Ahern <dsahern@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ