lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220301215337.378405-1-pablo@netfilter.org>
Date:   Tue,  1 Mar 2022 22:53:29 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netfilter-devel@...r.kernel.org
Cc:     davem@...emloft.net, netdev@...r.kernel.org, kuba@...nel.org
Subject: [PATCH net 0/8] Netfilter fixes for net

Hi,

The following patchset contains Netfilter fixes for net:

1) Use kfree_rcu(ptr, rcu) variant, using kfree_rcu(ptr) was not
   intentional. From Eric Dumazet.

2) Use-after-free in netfilter hook core, from Eric Dumazet.

3) Missing rcu read lock side for netfilter egress hook,
   from Florian Westphal.

4) nf_queue assume state->sk is full socket while it might not be.
   Invoke sock_gen_put(), from Florian Westphal.

5) Add selftest to exercise the reported KASAN splat in 4)

6) Fix possible use-after-free in nf_queue in case sk_refcnt is 0.
   Also from Florian.

7) Use input interface index only for hardware offload, not for
   the software plane. This breaks tc ct action. Patch from Paul Blakey.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 277f2bb14361790a70e4b3c649e794b75a91a597:

  ibmvnic: schedule failover only if vioctl fails (2022-02-22 17:06:27 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to db6140e5e35a48405e669353bd54042c1d4c3841:

  net/sched: act_ct: Fix flow table lookup failure with no originating ifindex (2022-03-01 22:08:31 +0100)

----------------------------------------------------------------
Eric Dumazet (2):
      netfilter: nf_tables: prefer kfree_rcu(ptr, rcu) variant
      netfilter: fix use-after-free in __nf_register_net_hook()

Florian Westphal (5):
      netfilter: egress: silence egress hook lockdep splats
      netfilter: nf_queue: don't assume sk is full socket
      selftests: netfilter: add nfqueue TCP_NEW_SYN_RECV socket race test
      netfilter: nf_queue: fix possible use-after-free
      netfilter: nf_queue: handle socket prefetch

Paul Blakey (1):
      net/sched: act_ct: Fix flow table lookup failure with no originating ifindex

 include/linux/netfilter_netdev.h                  |   4 +
 include/net/netfilter/nf_flow_table.h             |   6 +-
 include/net/netfilter/nf_queue.h                  |   2 +-
 net/netfilter/core.c                              |   5 +-
 net/netfilter/nf_flow_table_offload.c             |   6 +-
 net/netfilter/nf_queue.c                          |  36 +++++-
 net/netfilter/nf_tables_api.c                     |   4 +-
 net/netfilter/nfnetlink_queue.c                   |  12 +-
 net/sched/act_ct.c                                |  13 ++-
 tools/testing/selftests/netfilter/.gitignore      |   1 +
 tools/testing/selftests/netfilter/Makefile        |   2 +-
 tools/testing/selftests/netfilter/connect_close.c | 136 ++++++++++++++++++++++
 tools/testing/selftests/netfilter/nft_queue.sh    |  19 +++
 13 files changed, 226 insertions(+), 20 deletions(-)
 create mode 100644 tools/testing/selftests/netfilter/connect_close.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ