lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210802112001.rxfajfttl35bnh5s@skbuf>
Date:   Mon, 2 Aug 2021 11:20:01 +0000
From:   Vladimir Oltean <vladimir.oltean@....com>
To:     Nikolay Aleksandrov <nikolay@...dia.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jiri Pirko <jiri@...nulli.us>,
        Ido Schimmel <idosch@...sch.org>,
        Roopa Prabhu <roopa@...dia.com>,
        "bridge@...ts.linux-foundation.org" 
        <bridge@...ts.linux-foundation.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        "syzbot+9ba1174359adba5a5b7c@...kaller.appspotmail.com" 
        <syzbot+9ba1174359adba5a5b7c@...kaller.appspotmail.com>
Subject: Re: [PATCH net] net: bridge: validate the NUD_PERMANENT bit when
 adding an extern_learn FDB entry

On Mon, Aug 02, 2021 at 02:02:36PM +0300, Nikolay Aleksandrov wrote:
> >> Actually I believe there is still a bug in 52e4bec15546 even with this fix.
> >> The flag can change after the dst has been read in br_switchdev_fdb_notify()
> >> so in theory you could still do a null pointer dereference. fdb_notify()
> >> can be called from a few places without locking. The code shouldn't dereference
> >> the dst based on the flag.
> >
> > Are you thinking of a specific code path that triggers a race between
> > (a) a writer side doing WRITE_ONCE(fdb->dst, NULL) and then
> >     set_bit(BR_FDB_LOCAL, &fdb->flags), exactly in this order, and
>
> Visible order is not guaranteed, there are no barriers neither at writer nor reader
> sides, especially when used without locking. So we cannot make any assumptions
> about the order visibility of these writes.
>
> > (b) a reader side catching that fdb exactly in between the above 2
> >     statements, through fdb_notify or otherwise (br_fdb_replay)?
> >
> > Because I don't see any.
> >
> > Plus, I am a bit nervous about protecting against theoretical/unproven
> > races in a way that masks real bugs, as we would be doing if I add an
> > extra check in br_fdb_replay_one and br_switchdev_fdb_notify against the
> > case where an entry has fdb->dst == NULL but not BR_FDB_LOCAL.
> >
>
> The bits are _not_ visible atomically with the setting of ->dst. It is obvious
> you must not dereference anything based on them, they are only indications when used
> outside of locked regions and code must be able to deal with inconsistencies as that
> is implied by the way they're used. It is a clear and obvious bug dereferencing based
> on a bit that can change in parallel without any memory ordering guarantees.

Ok, I will send a separate patch for that.

> You are not "masking" anything, but fixing what is currently buggy use of fdb bits.

I am "masking" in the sense that the bug I am fixing here was not
obvious to me until it triggered a NPD. That would stop happening with
the patch I'm about to send, but maybe there are still bridge UAPI
functions that do not validate the 'permanent' flag from FDB entries.

> As I already said - this doesn't fix the null deref bug completely, in fact it fixes a different
> inconsistency, before at worst you'd get blackholed traffic for such entries now
> you get a null pointer dereference.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ