lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 4 Apr 2015 19:06:46 +0300 (EEST)
From:	Julian Anastasov <ja@....bg>
To:	Eric Dumazet <eric.dumazet@...il.com>
cc:	Alexei Potashnik <alexei@...estorage.com>,
	Joern Engel <joern@...estorage.com>,
	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: neigh use-after-free


	Hello,

On Fri, 3 Apr 2015, Eric Dumazet wrote:

> > Problem is __neigh_event_send() is ignoring n->dead
> > 
> > 
> 
> Please try following patch :
> 
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index 3de6542560288b3896ab243879a7b4a9b098ca0d..3a2928332b31bfd421ca409ba9bc4e82f82b3552 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -957,7 +957,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
>  	rc = 0;
>  	if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
>  		goto out_unlock_bh;

	At this point we can have NUD_STALE, NUD_INCOMPLETE or
NUD_FAILED. Not sure about NUD_STALE but for others we should
call kfree_skb(skb) and to return rc = 1. It is possible that
we never resolved this entry, so rc = 0 is not correct for all
cases.

	When n->dead = 1 the neigh is unlinked but the
option to call somehow __neigh_create() looks complex.
As result, in a rare case we can drop packets while
neigh_periodic_work is removing NUD_STALE entry. May be
it can take a RCU grace period.

> -
> +	if (neigh->dead)
> +		goto out_unlock_bh;
>  	if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
>  		if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
>  		    NEIGH_VAR(neigh->parms, APP_PROBES)) {

Regards

--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ