lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20141028111109.1f64f76e@redhat.com> Date: Tue, 28 Oct 2014 11:11:09 +0100 From: Jesper Dangaard Brouer <brouer@...hat.com> To: "billbonaparte" <programme110@...il.com> Cc: <linux-kernel@...r.kernel.org>, "'Netfilter Developer Mailing List'" <netfilter-devel@...r.kernel.org>, "'Pablo Neira Ayuso'" <pablo@...filter.org>, "'Patrick McHardy'" <kaber@...sh.net>, <kadlec@...ckhole.kfki.hu>, <davem@...emloft.net>, "'Changli Gao'" <xiaosuo@...il.com>, "'Andrey Vagin'" <avagin@...nvz.org>, brouer@...hat.com, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: netfilter: nf_conntrack: there maybe a bug in __nf_conntrack_confirm, when it race against get_next_corpse On Tue, 28 Oct 2014 11:37:31 +0800 "billbonaparte" <programme110@...il.com> wrote: > Hi, all: > sorry for sending this mail again, the last mail doesn't show text > clearly. This one also mangles the text, so I cannot follow the race you are describing. I'll try to reconstruct... > In function __nf_conntrack_confirm, we check the conntrack if it was > already dead, before insert it into hash-table. > We do this because if we insert an already 'dead' hash, it will > block further use of that particular connection. Have you run into this problem in practice, or is this based on a theory? > but we don't do that right. > let's consider the following case: > [tried to reconstruct] > cpu1 cpu2 > __nf_conntrack_confirm get_next_corpse > lock corresponding hash-list .... > check nf_ct_is_dying(ct) .... > ..... for_each_possible_cpu(cpu) { > ..... (processing &pcpu->unconfirmed) > ..... spin_lock_bh(&pcpu->lock); > ..... set_bit(IPS_DYING_BIT, &ct->status); > ..... spin_unlock_bh(&pcpu_lock); > spin_lock_bh(&pcpu->lock); > nf_ct_del_from_dying_or_unconfirmed_list(ct); > spin_unlock_bh(&pcpu_lock); > > add_timer(&ct->timeout); > ct->status |= IPS_CONFIRMED; > __nf_conntrack_hash_insert(ct); > /* the conntrack has been seted as dying*/ Yes, I think you are correct. There is a race. As we are modifying the ct->status, without holding the hash bucket lock. > The above case reveal two problems: > 1. we may insert a dead conntrack to hash-table, it will block > further use of that particular connection. > 2. operation on ct->status should be atomic, because it race aginst > get_next_corpse. > due to this reason, the operation on ct->status in > nf_nat_setup_info should be atomic as well. > > if we want to resolve the first problem, we must delete the > unconfirmed conntrack from unconfirmed-list first, then check if it is > already dead. Guess that would be one approach. > Am I right to do this ? > Appreciate any comments and reply. Perhaps we could get rid of unconfirmed list handling in get_next_corpse? -- Best regards, Jesper Dangaard Brouer MSc.CS, Sr. Network Kernel Developer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn: http://www.linkedin.com/in/brouer -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists