| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Aug 2022 18:39:23 +0000 From: "Dhupar, Rishi" <rdhupar@...mai.com> To: "netdev@...r.kernel.org" <netdev@...r.kernel.org> CC: "Gero, Charlie" <cgero@...mai.com> Subject: Question - bind(2) to local route on main routing table Hi, We recently discovered an inconsistency in the behavior of bind(2) with respect to a type local route being added to the main table. I was able to track down the issue and it appears it was introduced in this commit[1] which merged the local and main fib tries for performance and which are then later unmerged once the RPDB is modified. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ddcf43d5d4a03ded1ee3f6b3b72a0cbed4e90b1 Synopsis: a user can bind(2) to any address within the prefix of a type local route that has been added to the main routing table Short example on an untainted Ubuntu 22.04 machine $ ip route add local 1.2.3.4/32 dev lo table main $ nc -n -s 1.2.3.4 -l -p 9999 # Succeeds $ ip rule add table 100 # This can be any change to RPDB $ nc -n -s 1.2.3.4 -l -p 9999 Can't grab 1.2.3.4:9999 with bind : Cannot assign requested address Note: This also impacts implicit bind behavior wrt to system calls such as connect(2). Does this warrant further investigation and/or possibly a patch to disallow this behavior? Regards, Rishi Dhupar
Powered by blists - more mailing lists