| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210802112001.rxfajfttl35bnh5s@skbuf>
Date: Mon, 2 Aug 2021 11:20:01 +0000
From: Vladimir Oltean <vladimir.oltean@....com>
To: Nikolay Aleksandrov <nikolay@...dia.com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Jiri Pirko <jiri@...nulli.us>,
Ido Schimmel <idosch@...sch.org>,
Roopa Prabhu <roopa@...dia.com>,
"bridge@...ts.linux-foundation.org"
<bridge@...ts.linux-foundation.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
"syzbot+9ba1174359adba5a5b7c@...kaller.appspotmail.com"
<syzbot+9ba1174359adba5a5b7c@...kaller.appspotmail.com>
Subject: Re: [PATCH net] net: bridge: validate the NUD_PERMANENT bit when
adding an extern_learn FDB entry
On Mon, Aug 02, 2021 at 02:02:36PM +0300, Nikolay Aleksandrov wrote:
> >> Actually I believe there is still a bug in 52e4bec15546 even with this fix.
> >> The flag can change after the dst has been read in br_switchdev_fdb_notify()
> >> so in theory you could still do a null pointer dereference. fdb_notify()
> >> can be called from a few places without locking. The code shouldn't dereference
> >> the dst based on the flag.
> >
> > Are you thinking of a specific code path that triggers a race between
> > (a) a writer side doing WRITE_ONCE(fdb->dst, NULL) and then
> > set_bit(BR_FDB_LOCAL, &fdb->flags), exactly in this order, and
>
> Visible order is not guaranteed, there are no barriers neither at writer nor reader
> sides, especially when used without locking. So we cannot make any assumptions
> about the order visibility of these writes.
>
> > (b) a reader side catching that fdb exactly in between the above 2
> > statements, through fdb_notify or otherwise (br_fdb_replay)?
> >
> > Because I don't see any.
> >
> > Plus, I am a bit nervous about protecting against theoretical/unproven
> > races in a way that masks real bugs, as we would be doing if I add an
> > extra check in br_fdb_replay_one and br_switchdev_fdb_notify against the
> > case where an entry has fdb->dst == NULL but not BR_FDB_LOCAL.
> >
>
> The bits are _not_ visible atomically with the setting of ->dst. It is obvious
> you must not dereference anything based on them, they are only indications when used
> outside of locked regions and code must be able to deal with inconsistencies as that
> is implied by the way they're used. It is a clear and obvious bug dereferencing based
> on a bit that can change in parallel without any memory ordering guarantees.
Ok, I will send a separate patch for that.
> You are not "masking" anything, but fixing what is currently buggy use of fdb bits.
I am "masking" in the sense that the bug I am fixing here was not
obvious to me until it triggered a NPD. That would stop happening with
the patch I'm about to send, but maybe there are still bridge UAPI
functions that do not validate the 'permanent' flag from FDB entries.
> As I already said - this doesn't fix the null deref bug completely, in fact it fixes a different
> inconsistency, before at worst you'd get blackholed traffic for such entries now
> you get a null pointer dereference.
Powered by blists - more mailing lists