lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <52A135C2.9020406@cn.fujitsu.com>
Date:	Fri, 06 Dec 2013 10:26:10 +0800
From:	Gao feng <gaofeng@...fujitsu.com>
To:	Stephen Hemminger <stephen@...workplumber.org>,
	Jiri Pirko <jiri@...nulli.us>
CC:	netdev@...r.kernel.org, davem@...emloft.net, jtluka@...hat.com,
	zhiguohong@...cent.com, bridge@...ts.linux-foundation.org,
	edumazet@...gle.com, laine@...hat.com, mst@...hat.com
Subject: Re: [patch net/stable v2] br: fix use of ->rx_handler_data in code
 executed on non-rx_handler path

On 12/06/2013 12:55 AM, Stephen Hemminger wrote:
> On Thu,  5 Dec 2013 16:27:37 +0100
> Jiri Pirko <jiri@...nulli.us> wrote:
> 
>> br_stp_rcv() is reached by non-rx_handler path. That means there is no
>> guarantee that dev is bridge port and therefore simple NULL check of
>> ->rx_handler_data is not enough. There is need to check if dev is really
>> bridge port and since only rcu read lock is held here, do it by checking
>> ->rx_handler pointer.
>>
>> Note that synchronize_net() in netdev_rx_handler_unregister() ensures
>> this approach as valid.
>>
> 
> 
> I think this patch is simpler/better, it restores the old logic.
> 
> Ps. submitting patches to bugzilla is a good way to have them ignored.
> 
>>>From Stephen Hemminger <stephen@...workplumber.org>
> 
> Check that incoming STP packet is received on a port assigned to bridge
> before processing. It is possible to receive packet on non-bridge port
> because they are multicast.
> 
> See:
>  https://bugzilla.kernel.org/show_bug.cgi?id=64911
> 
> 
> Regression introduced by:
> commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2
> Author: Hong Zhiguo <zhiguohong@...cent.com>
> Date:   Sat Sep 14 22:42:28 2013 +0800
> 
>     bridge: fix NULL pointer deref of br_port_get_rcu
> 
> 
> Reported-by: Alexander Y. Fomichev
> Signed-off-by: Stephen Hemminger <stephen@...workplumber.org>
> 
> 
> --- a/net/bridge/br_stp_bpdu.c	2013-06-11 09:50:21.522919061 -0700
> +++ b/net/bridge/br_stp_bpdu.c	2013-12-05 08:46:56.090463702 -0800
> @@ -153,6 +153,9 @@ void br_stp_rcv(const struct stp_proto *
>  	if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0)
>  		goto err;
>  
> +	if (!br_port_exists(dev))
> +		goto err;
> +
>  	p = br_port_get_rcu(dev);
>  	if (!p)
>  		goto err;


We alreay did some cleanup jobs before mark this dev is not a port of bridge (dev->priv_flags &= ~IFF_BRIDGE_PORT),
such as remove the fdb related to this port(br_fdb_delete_by_port).

and seems like after these cleanup jobs, before unregister this device, if new skb is received,
br_handle_local_finish will call br_fdb_update to create a new fdb whose dst points to the will-be-destroied-port.

I don't know if this will cause some problems.
seems we should also make sure port is unavailable before we do cleanup.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ