lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Feb 2022 22:09:49 +0800 From: "wanghai (M)" <wanghai38@...wei.com> To: David Miller <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, <edumazet@...gle.com>, <yoshfuji@...ux-ipv6.org>, <dsahern@...nel.org> CC: <netdev@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: [BUG] net: ipv4: The sent udp broadcast message may be converted to an arp request message Hello, I found a bug, but I don't know how to fix it. Anyone have some good ideas? This bug will cause udp broadcast messages not to be sent, but instead send non-expected arp request messages. Deleting the ip while sending udp broadcast messages and then configuring the ip again will probably trigger the bug. The following is the timing diagram of the bug, cpu0 sends a broadcast message and cpu1 deletes the routing table at the appropriate time. cpu0 cpu1 send() udp_sendmsg() ip_route_output_flow() | fib_lookup() udp_send_skb() ip_send_skb() ip_finish_output2() ifconfig eth0:2 down fib_del_ifaddr fib_table_delete // delete fib table ip_neigh_for_gw() | ip_neigh_gw4() | __ipv4_neigh_lookup_noref() | __neigh_create() | tbl->constructor(n) --> arp_constructor() | neigh->type = inet_addr_type_dev_table(); // no route, neigh->type = RTN_UNICAST neigh_output() // unicast, send an arp request and create an exception arp entry After the above operation, an abnormal arp entry will be generated. If the ip is configured again(ifconfig eth0:2 12.0.208.0), the abnormal arp entry will still exist, and the udp broadcast message will be converted to an arp request message when it is sent. Any feedback would be appreciated, thanks. -- Wang Hai
Powered by blists - more mailing lists