lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZoukPaoTJKefF1g+@localhost.localdomain>
Date: Mon, 8 Jul 2024 10:33:01 +0200
From: Michal Kubiak <michal.kubiak@...el.com>
To: Chengen Du <chengen.du@...onical.com>
CC: Florian Westphal <fw@...len.de>, <jhs@...atatu.com>,
	<xiyou.wangcong@...il.com>, <jiri@...nulli.us>, <davem@...emloft.net>,
	<edumazet@...gle.com>, <kuba@...nel.org>, <pabeni@...hat.com>,
	<ozsh@...dia.com>, <paulb@...dia.com>, <marcelo.leitner@...il.com>,
	<netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, Gerald Yang
	<gerald.yang@...onical.com>
Subject: Re: [PATCH net v2] net/sched: Fix UAF when resolving a clash

On Sat, Jul 06, 2024 at 09:42:00AM +0800, Chengen Du wrote:

[...]

> >
> > > > diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> > > > index 2a96d9c1db65..6f41796115e3 100644
> > > > --- a/net/sched/act_ct.c
> > > > +++ b/net/sched/act_ct.c
> > > > @@ -1077,6 +1077,14 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
> > > >              */
> > > >             if (nf_conntrack_confirm(skb) != NF_ACCEPT)
> > > >                     goto drop;
> > > > +
> > > > +           /* The ct may be dropped if a clash has been resolved,
> > > > +            * so it's necessary to retrieve it from skb again to
> > > > +            * prevent UAF.
> > > > +            */
> > > > +           ct = nf_ct_get(skb, &ctinfo);
> > > > +           if (!ct)
> > > > +                   goto drop;
> > >
> > > After taking a closer look at this change, I have a question: Why do we
> > > need to change an action returned by "nf_conntrack_confirm()"
> > > (NF_ACCEPT) and actually perform the flow for NF_DROP?
> > >
> > > From the commit message I understand that you only want to prevent
> > > calling "tcf_ct_flow_table_process_conn()". But for such reason we have
> > > a bool variable: "skip_add".
> > > Shouldn't we just set "skip_add" to true to prevent the UAF?
> > > Would the following example code make sense in this case?
> > >
> > >       ct = nf_ct_get(skb, &ctinfo);
> > >       if (!ct)
> > >               skip_add = true;
> 
> The fix is followed by the KASAN analysis. The ct is freed while
> resolving a clash in the __nf_ct_resolve_clash function, but it is
> still accessed in the tcf_ct_flow_table_process_conn function. If I
> understand correctly, the original logic still adds the ct to the flow
> table after resolving a clash once the skip_add is false. The chance
> of encountering a drop case is rare because the skb's ct is already
> substituted into the hashes one. However, if we still encounter a NULL
> ct, the situation is unusual and might warrant dropping it as a
> precaution. I am not an expert in this area and might have some
> misunderstandings. Please share your opinions if you have any
> concerns.
> 

I'm also not an expert in this part of code. I understand the scenario
of UAF found by KASAN analysis.
My only concern is that the patch changes the flow of the function:
in case of NF_ACCEPT we will go to "drop" instead of performing a normal
flow.

For example, if "nf_conntrack_confirm()" returns NF_ACCEPT, (even after
the clash resolving), I would not expect calling "goto drop".
That is why I suggested a less invasive solution which is just blocking
calling "tcf_ct_flow_table_process_conn()" where there is a risk of UAF.
So, I asked if such solution would work in case of this function.

Thanks,
Michal

> >
> > It depends on what tc wants do to here.
> >
> > For netfilter, the skb is not dropped and continues passing
> > through the stack. Its up to user to decide what to do with it,
> > e.g. doing "ct state invalid drop".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ