| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52A27D6B.10508@gmail.com> Date: Fri, 06 Dec 2013 20:44:11 -0500 From: Vlad Yasevich <vyasevich@...il.com> To: Gao feng <gaofeng@...fujitsu.com>, Stephen Hemminger <stephen@...workplumber.org>, Jiri Pirko <jiri@...nulli.us> CC: netdev@...r.kernel.org, davem@...emloft.net, jtluka@...hat.com, zhiguohong@...cent.com, bridge@...ts.linux-foundation.org, edumazet@...gle.com, laine@...hat.com, mst@...hat.com Subject: Re: [patch net/stable v2] br: fix use of ->rx_handler_data in code executed on non-rx_handler path On 12/05/2013 09:26 PM, Gao feng wrote: > On 12/06/2013 12:55 AM, Stephen Hemminger wrote: >> On Thu, 5 Dec 2013 16:27:37 +0100 >> Jiri Pirko <jiri@...nulli.us> wrote: >> >>> br_stp_rcv() is reached by non-rx_handler path. That means there is no >>> guarantee that dev is bridge port and therefore simple NULL check of >>> ->rx_handler_data is not enough. There is need to check if dev is really >>> bridge port and since only rcu read lock is held here, do it by checking >>> ->rx_handler pointer. >>> >>> Note that synchronize_net() in netdev_rx_handler_unregister() ensures >>> this approach as valid. >>> >> >> >> I think this patch is simpler/better, it restores the old logic. >> >> Ps. submitting patches to bugzilla is a good way to have them ignored. >> >> >From Stephen Hemminger <stephen@...workplumber.org> >> >> Check that incoming STP packet is received on a port assigned to bridge >> before processing. It is possible to receive packet on non-bridge port >> because they are multicast. >> >> See: >> https://bugzilla.kernel.org/show_bug.cgi?id=64911 >> >> >> Regression introduced by: >> commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 >> Author: Hong Zhiguo <zhiguohong@...cent.com> >> Date: Sat Sep 14 22:42:28 2013 +0800 >> >> bridge: fix NULL pointer deref of br_port_get_rcu >> >> >> Reported-by: Alexander Y. Fomichev >> Signed-off-by: Stephen Hemminger <stephen@...workplumber.org> >> >> >> --- a/net/bridge/br_stp_bpdu.c 2013-06-11 09:50:21.522919061 -0700 >> +++ b/net/bridge/br_stp_bpdu.c 2013-12-05 08:46:56.090463702 -0800 >> @@ -153,6 +153,9 @@ void br_stp_rcv(const struct stp_proto * >> if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0) >> goto err; >> >> + if (!br_port_exists(dev)) >> + goto err; >> + >> p = br_port_get_rcu(dev); >> if (!p) >> goto err; > > > We alreay did some cleanup jobs before mark this dev is not a port of bridge (dev->priv_flags &= ~IFF_BRIDGE_PORT), > such as remove the fdb related to this port(br_fdb_delete_by_port). > > and seems like after these cleanup jobs, before unregister this device, if new skb is received, > br_handle_local_finish will call br_fdb_update to create a new fdb whose dst points to the will-be-destroied-port. Not really. We disable the port first before removing the fdb as a result, br_handle_local_finish() will not update the fdb because the port is in disabled state. -vlad > > I don't know if this will cause some problems. > seems we should also make sure port is unavailable before we do cleanup. > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists