lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55a04a8f-56f3-f73c-2aea-2195923f09d1@huawei.com>
Date:   Mon, 7 Feb 2022 22:09:49 +0800
From:   "wanghai (M)" <wanghai38@...wei.com>
To:     David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, <edumazet@...gle.com>,
        <yoshfuji@...ux-ipv6.org>, <dsahern@...nel.org>
CC:     <netdev@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: [BUG] net: ipv4: The sent udp broadcast message may be converted to
 an arp request message

Hello,

I found a bug, but I don't know how to fix it. Anyone have some good ideas?

This bug will cause udp broadcast messages not to be sent, but instead send
non-expected arp request messages.

Deleting the ip while sending udp broadcast messages and then configuring
the ip again will probably trigger the bug.

The following is the timing diagram of the bug, cpu0 sends a broadcast
message and cpu1 deletes the routing table at the appropriate time.

cpu0                                        cpu1
send()
   udp_sendmsg()
     ip_route_output_flow()
     |  fib_lookup()
     udp_send_skb()
       ip_send_skb()
         ip_finish_output2()

                                             ifconfig eth0:2 down
                                               fib_del_ifaddr
                                                 fib_table_delete // 
delete fib table

           ip_neigh_for_gw()
           |  ip_neigh_gw4()
           |    __ipv4_neigh_lookup_noref()
           |    __neigh_create()
           |      tbl->constructor(n) --> arp_constructor()
           |        neigh->type = inet_addr_type_dev_table(); // no 
route, neigh->type = RTN_UNICAST
           neigh_output() // unicast, send an arp request and create an 
exception arp entry

After the above operation, an abnormal arp entry will be generated. If
the ip is configured again(ifconfig eth0:2 12.0.208.0), the abnormal arp
entry will still exist, and the udp broadcast message will be converted
to an arp request message when it is sent.

Any feedback would be appreciated, thanks.

-- 
Wang Hai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ