| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200701.152116.1519098438346883237.davem@davemloft.net>
Date: Wed, 01 Jul 2020 15:21:16 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: wenxu@...oud.cn
Cc: paulb@...lanox.com, netdev@...r.kernel.org
Subject: Re: [PATCH net 1/2] net/sched: act_ct: fix restore the
qdisc_skb_cb after defrag
From: wenxu@...oud.cn
Date: Mon, 29 Jun 2020 17:16:17 +0800
> From: wenxu <wenxu@...oud.cn>
>
> The fragment packets do defrag in tcf_ct_handle_fragments
> will clear the skb->cb which make the qdisc_skb_cb clear
> too and set the pkt_len to 0. The bytes always 0 when dump
> the filter. And it also update the pkt_len after all the
> fragments finish the defrag to one packet and make the
> following action counter correct.
>
> filter protocol ip pref 2 flower chain 0 handle 0x2
> eth_type ipv4
> dst_ip 1.1.1.1
> ip_flags frag/firstfrag
> skip_hw
> not_in_hw
> action order 1: ct zone 1 nat pipe
> index 2 ref 1 bind 1 installed 11 sec used 11 sec
> Action statistics:
> Sent 0 bytes 11 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> cookie e04106c2ac41769b278edaa9b5309960
>
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
> Signed-off-by: wenxu <wenxu@...oud.cn>
This is a much larger and serious problem IMHO. And this fix is
not sufficient.
Nothing can clobber the qdisc_skb_cb like this in these packet flows
otherwise we will have serious crashes and problems. Some packet
schedulers store pointers in the qdisc CB private area, for example.
We need to somehow elide the CB clear when packets are defragmented by
connection tracking.
Powered by blists - more mailing lists