lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 5 Apr 2019 12:00:40 +0200
From:   Lorenzo Bianconi <lorenzo.bianconi@...hat.com>
To:     David Miller <davem@...emloft.net>
Cc:     netdev@...r.kernel.org, jesse@...nel.org
Subject: Re: [PATCH net] ipv6: sit: reset ip header pointer in ipip6_rcv

> From: Lorenzo Bianconi <lorenzo.bianconi@...hat.com>
> Date: Thu,  4 Apr 2019 16:37:53 +0200
> 
> > ipip6 tunnels run iptunnel_pull_header on received skbs. This can
> > determine the following use-after-free accessing iph pointer since
> > the packet will be 'uncloned' running pskb_expand_head if it is a
> > cloned gso skb (e.g if the packet has been sent though a veth device)
>  ...
> > Fix it resetting iph pointer after iptunnel_pull_header
> > 
> > Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
> > Tested-by: Jianlin Shi <jishi@...hat.com>
> > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@...hat.com>
> 
> Good catch, applied, thanks.

looking at the code it seems there is the same issue for erspan_v{4,6}.
I will post a fix soon.

Regards,
Lorenzo

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ