| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHA+R7NvbJyjjBac=4VneQ_Nuxtb-_HEOJp0dujh5SOXj3NSKQ@mail.gmail.com> Date: Wed, 1 Apr 2015 17:06:54 -0700 From: Cong Wang <cwang@...pensource.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org> Cc: netdev <netdev@...r.kernel.org>, Jiri Pirko <jiri@...nulli.us> Subject: Re: [PATCH net-next] ipv6: protect skb->sk accesses from recursive dereference inside the stack On Wed, Apr 1, 2015 at 8:07 AM, Hannes Frederic Sowa <hannes@...essinduktion.org> wrote: > From: "hannes@...essinduktion.org" <hannes@...essinduktion.org> > > We should not consult skb->sk for output decisions in xmit recursion > levels > 0 in the stack. Otherwise local socket settings could influence > the result of e.g. tunnel encapsulation process. > > ipv6 does not conform with this in three places: > > 1) ip6_fragment: we do consult ipv6_npinfo for frag_size > > 2) sk_mc_loop in ipv6 uses skb->sk and checks if we should > loop the packet back to the local socket > > 3) ip6_skb_dst_mtu could query the settings from the user socket and > force a wrong MTU > > Furthermore: > In sk_mc_loop we could potentially land in WARN_ON(1) if we use a > PF_PACKET socket ontop of an IPv6-backed vxlan device. > > Reuse xmit_recursion as we are currently only interested in protecting > tunnel devices. > Shouldn't these skb's be orphaned for tunnel cases? Or we still have to keep skb->sk for other valid use? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists