lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200319105248.GP979@breakpoint.cc>
Date:   Thu, 19 Mar 2020 11:52:48 +0100
From:   Florian Westphal <fw@...len.de>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     Florian Westphal <fw@...len.de>,
        Martin Zaharinov <micron10@...il.com>,
        netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Bug URGENT Report with new kernel 5.5.10-5.6-rc6

Pablo Neira Ayuso <pablo@...filter.org> wrote:
> On Thu, Mar 19, 2020 at 11:34:38AM +0100, Florian Westphal wrote:
> > Martin Zaharinov <micron10@...il.com> wrote:
> > 
> > [ trimming CC ]
> > 
> > Please revert
> > 
> > commit 28f8bfd1ac948403ebd5c8070ae1e25421560059
> > netfilter: Support iif matches in POSTROUTING
> 
> Please, specify a short description to append to the revert.

TCP makes use of the rb_node in sk_buff for its retransmit queue,
amongst others.  skb->dev aliases to this storage, i.e., passing
skb->dev as the input interface in postrouting may point to another
sk_buff instead.
This will cause crashes and data corruption with nf_queue, as we will
attempt to increment a random pcpu variable when calling dev_hold().

Also, the memory address may also be free'd, which gives UAF splat.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ