| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1daf1401-5009-df1c-a77a-a271811c0760@nod.at>
Date: Wed, 12 Jul 2017 23:26:35 +0200
From: Richard Weinberger <richard@....at>
To: Florian Westphal <fw@...len.de>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Pablo Neira Ayuso <pablo@...filter.org>,
David Miller <davem@...emloft.net>,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
David Gstir <david@...ma-star.at>, kaber@...sh.net,
"keescook@...omium.org" <keescook@...omium.org>
Subject: Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID
Florian,
Am 01.07.2017 um 12:35 schrieb Florian Westphal:
>>> Perhaps we can place that in a new extension (its not needed in any
>>> fastpath ops)?
>>
>> To get rid of the infoleak we have to re-introduce the id field in struct nf_conn
>> and struct nf_conntrack_expect.
>
> Why will this not work?
You are right, when we compute the ID from the whole object, it should be fine.
>> Otherwise have nothing to compare against in the conntrack/expect remove case.
>
> Not following, sorry. The id is not used anywhere except when we send
> info to userspace.
>
> The compare on removal is not needed afaics, and its also not used when
> doing lookup to begin with, so we can just recompute it?
Isn't this a way too much overhead?
I personally favor Pablo's per-cpu counter approach.
That way the IDs are unique again and we get rid of the info leak without
much effort.
Thanks,
//richard
Powered by blists - more mailing lists