| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Nov 2023 10:56:26 +0800
From: Hangbin Liu <liuhangbin@...il.com>
To: Zhengchao Shao <shaozhengchao@...wei.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
weiyongjun1@...wei.com, yuehaibing@...wei.com
Subject: Re: [PATCH net] ipv4: igmp: fix refcnt uaf issue when receiving igmp
query packet
Hi Zhengchao,
On Tue, Nov 21, 2023 at 10:05:58AM +0800, Zhengchao Shao wrote:
> ---
> net/ipv4/igmp.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
> index 76c3ea75b8dd..f217581904d6 100644
> --- a/net/ipv4/igmp.c
> +++ b/net/ipv4/igmp.c
> @@ -1044,6 +1044,8 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
> for_each_pmc_rcu(in_dev, im) {
> int changed;
>
> + if (!netif_running(im->interface->dev))
> + continue;
I haven't checked this part for a long time. What's the difference of in_dev->dev
and im->interface->dev? I though they are the same, no?
If they are the same, should we stop processing the query earlier? e.g.
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 76c3ea75b8dd..f4e1d229c9aa 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1082,6 +1082,9 @@ int igmp_rcv(struct sk_buff *skb)
goto drop;
}
+ if (!netif_running(dev))
+ goto drop;
+
in_dev = __in_dev_get_rcu(dev);
if (!in_dev)
goto drop;
BTW, does IPv6 MLD has this issue?
Thanks
Hangbin
Powered by blists - more mailing lists