lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20161203003326.GA27610@bistromath.localdomain>
Date:   Sat, 3 Dec 2016 01:33:26 +0100
From:   Sabrina Dubroca <sd@...asysnail.net>
To:     David Miller <davem@...emloft.net>
Cc:     netdev@...r.kernel.org, linville@...driver.com
Subject: Re: [PATCH net] geneve: avoid use-after-free of skb->data

2016-12-02, 14:09:25 -0500, David Miller wrote:
> From: Sabrina Dubroca <sd@...asysnail.net>
> Date: Fri,  2 Dec 2016 16:49:29 +0100
> 
> > geneve{,6}_build_skb can end up doing a pskb_expand_head(), which
> > makes the ip_hdr(skb) reference we stashed earlier stale. Since it's
> > only needed as an argument to ip_tunnel_ecn_encap(), move this
> > directly in the function call.
> > 
> > Fixes: 08399efc6319 ("geneve: ensure ECN info is handled properly in all tx/rx paths")
> > Signed-off-by: Sabrina Dubroca <sd@...asysnail.net>
> 
> Applied and queued up for -stable, thanks.
> 
> This bug happens so many times that I think it might be time for
> a debugging mode for pskb_expand_head() that unconditionally
> reallocates the skb->data buffer regardless of whether it's
> necessary or not and somehow unmaps the previous buffer to
> force a trap on stale pointers.

The problem with that is you'd need to enable the "debugging mode" in
all wrappers, so that they don't bypass the actual call to
pskb_expand_head(). And that still leaves all the direct calls to
pskb_expand_head() that are guarded by some kind of check (just two
random hits without even looking very hard:
net/core/pktgen.c:process_ipsec, net/ipv4/ip_gre.c:gre_fb_xmit).

Then I think we could just rely on KASAN (that's how I noticed this
bug).


> Better ideas welcome, of course :)

May not be better ;)  but at least another idea:

I'd like to try something based on static analysis. We'd need a way to
tag cached pointers to skb->data (via ip_hdr() or whatever), and
propagate the notion that pskb_expand_head() makes these cached
pointers stale through layers of function calls.  I don't know how
feasible this is with the tools we have.

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ