lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri,  2 Sep 2022 14:19:02 +0200
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,, "David S. Miller" <>,
        Eric Dumazet <>,
        Jakub Kicinski <>,
        Paolo Abeni <>,
        Daniel Borkmann <>,
        David Ahern <>,
        Yajun Deng <>,
        Roopa Prabhu <>,
        Christian Brauner <>,,
        Alexey Kuznetsov <>,
        Alexander Mikhalitsyn <>,
        Konstantin Khorenko <>,,,
        "Denis V. Lunev" <>, Sasha Levin <>
Subject: [PATCH 4.14 38/42] neigh: fix possible DoS due to net iface start/stop loop

From: Denis V. Lunev <>

[ Upstream commit 66ba215cb51323e4e55e38fd5f250e0fae0cbc94 ]

Normal processing of ARP request (usually this is Ethernet broadcast
packet) coming to the host is looking like the following:
* the packet comes to arp_process() call and is passed through routing
* the request is put into the queue using pneigh_enqueue() if
  corresponding ARP record is not local (common case for container
  records on the host)
* the request is processed by timer (within 80 jiffies by default) and
  ARP reply is sent from the same arp_process() using
  NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED condition (flag is set inside

And here the problem comes. Linux kernel calls pneigh_queue_purge()
which destroys the whole queue of ARP requests on ANY network interface
start/stop event through __neigh_ifdown().

This is actually not a problem within the original world as network
interface start/stop was accessible to the host 'root' only, which
could do more destructive things. But the world is changed and there
are Linux containers available. Here container 'root' has an access
to this API and could be considered as untrusted user in the hosting
(container's) world.

Thus there is an attack vector to other containers on node when
container's root will endlessly start/stop interfaces. We have observed
similar situation on a real production node when docker container was
doing such activity and thus other containers on the node become not

The patch proposed doing very simple thing. It drops only packets from
the same namespace in the pneigh_queue_purge() where network interface
state change is detected. This is enough to prevent the problem for the
whole node preserving original semantics of the code.

	- do del_timer_sync() if queue is empty after pneigh_queue_purge()
	- rebase to net tree

Cc: "David S. Miller" <>
Cc: Eric Dumazet <>
Cc: Jakub Kicinski <>
Cc: Paolo Abeni <>
Cc: Daniel Borkmann <>
Cc: David Ahern <>
Cc: Yajun Deng <>
Cc: Roopa Prabhu <>
Cc: Christian Brauner <>
Cc: Alexey Kuznetsov <>
Cc: Alexander Mikhalitsyn <>
Cc: Konstantin Khorenko <>
Investigated-by: Alexander Mikhalitsyn <>
Signed-off-by: Denis V. Lunev <>
Signed-off-by: David S. Miller <>
Signed-off-by: Sasha Levin <>
 net/core/neighbour.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 358e84af0210b..8af9761768e00 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -222,14 +222,23 @@ static int neigh_del_timer(struct neighbour *n)
 	return 0;
-static void pneigh_queue_purge(struct sk_buff_head *list)
+static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net)
+	unsigned long flags;
 	struct sk_buff *skb;
-	while ((skb = skb_dequeue(list)) != NULL) {
-		dev_put(skb->dev);
-		kfree_skb(skb);
+	spin_lock_irqsave(&list->lock, flags);
+	skb = skb_peek(list);
+	while (skb != NULL) {
+		struct sk_buff *skb_next = skb_peek_next(skb, list);
+		if (net == NULL || net_eq(dev_net(skb->dev), net)) {
+			__skb_unlink(skb, list);
+			dev_put(skb->dev);
+			kfree_skb(skb);
+		}
+		skb = skb_next;
+	spin_unlock_irqrestore(&list->lock, flags);
 static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev)
@@ -295,9 +304,9 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
 	neigh_flush_dev(tbl, dev);
 	pneigh_ifdown_and_unlock(tbl, dev);
-	del_timer_sync(&tbl->proxy_timer);
-	pneigh_queue_purge(&tbl->proxy_queue);
+	pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev));
+	if (skb_queue_empty_lockless(&tbl->proxy_queue))
+		del_timer_sync(&tbl->proxy_timer);
 	return 0;
@@ -1609,7 +1618,7 @@ int neigh_table_clear(int index, struct neigh_table *tbl)
 	/* It is not clean... Fix it to unload IPv6 module safely */
-	pneigh_queue_purge(&tbl->proxy_queue);
+	pneigh_queue_purge(&tbl->proxy_queue, NULL);
 	neigh_ifdown(tbl, NULL);
 	if (atomic_read(&tbl->entries))
 		pr_crit("neighbour leakage\n");

Powered by blists - more mailing lists