| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Feb 2022 22:09:49 +0800
From: "wanghai (M)" <wanghai38@...wei.com>
To: David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, <edumazet@...gle.com>,
<yoshfuji@...ux-ipv6.org>, <dsahern@...nel.org>
CC: <netdev@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [BUG] net: ipv4: The sent udp broadcast message may be converted to
an arp request message
Hello,
I found a bug, but I don't know how to fix it. Anyone have some good ideas?
This bug will cause udp broadcast messages not to be sent, but instead send
non-expected arp request messages.
Deleting the ip while sending udp broadcast messages and then configuring
the ip again will probably trigger the bug.
The following is the timing diagram of the bug, cpu0 sends a broadcast
message and cpu1 deletes the routing table at the appropriate time.
cpu0 cpu1
send()
udp_sendmsg()
ip_route_output_flow()
| fib_lookup()
udp_send_skb()
ip_send_skb()
ip_finish_output2()
ifconfig eth0:2 down
fib_del_ifaddr
fib_table_delete //
delete fib table
ip_neigh_for_gw()
| ip_neigh_gw4()
| __ipv4_neigh_lookup_noref()
| __neigh_create()
| tbl->constructor(n) --> arp_constructor()
| neigh->type = inet_addr_type_dev_table(); // no
route, neigh->type = RTN_UNICAST
neigh_output() // unicast, send an arp request and create an
exception arp entry
After the above operation, an abnormal arp entry will be generated. If
the ip is configured again(ifconfig eth0:2 12.0.208.0), the abnormal arp
entry will still exist, and the udp broadcast message will be converted
to an arp request message when it is sent.
Any feedback would be appreciated, thanks.
--
Wang Hai
Powered by blists - more mailing lists