lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 4 Nov 2022 17:16:04 -0400
From:   Yuval Kohavi <yuval.kohavi@...il.com>
To:     netdev@...r.kernel.org
Subject: bpf: bpf_redirect_peer - Infinite Loop

Hello,

I found a scenario where one can use "bpf_redirect_peer" to create an
infinite loop.
To do so, just create a veth pair, and move one of them to a different netns.
the attach to **both** pairs the following program:

#include "vmlinux.h"
#include <bpf/bpf_helpers.h>

SEC("ingress")
int tc_ingress(struct __sk_buff *ctx) {
return bpf_redirect_peer(ctx->ifindex, 0);
}

Any packet sent to the veth device will trigger an infinite loop:
Because bpf_redirect_peer moves a packet from ingress to ingress,
after it does so it triggers another_round in
__netif_receive_skb_core. And with this configuration another_round
will be triggered forever, creating an infinite loop.

I'm not sure if this is a real security issue, as it requires a user
to set this up in a faulty way, but as bpf is not suppose to allow
infinite loops, I figured that it is better to verify with Netdev

-- Yuval

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ