lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 28 Dec 2023 10:09:06 +0800 (GMT+08:00)
From: "Lin Ma" <linma@....edu.cn>
To: "Jamal Hadi Salim" <jhs@...atatu.com>
Cc: xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net, 
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net v1] net/sched: cls_api: complement
 tcf_tfilter_dump_policy

Hello Jamal,

> >
> > Sorry, still trying to follow your reasoning that this is a "net issue":
> > As you point out, the skb will have enough space to carry the 32 bit
> > value. Worst case is we read garbage. And the dump, using this garbage
> > chain index,  will not find the chain or will find some unintended
> > chain. Am i missing something?

Thanks for your replying. 

I investigated the code and yes, as you said, the skb data will carry
a tailing space used for putting `struct skb_shared_info`. Hence, 32
bit is not enough here to conduct an overflow read to next object.

Hence I guess you have not missed anything but I do. For the
CVE-2023-3773, the read value is dumped to user-space so the leak is
direct. But since the chain index is not directly dumped
into userspace. The attacker can only exploit this via a side-channel
manner. Assuming the attacker could create as many chain as he can
(2**32 maybe ;P), then the dump from the garbage chain index will leak
the kernel data indirectly.

> >
> > Can you send me a repro (privately) that actually causes the "heap
> > data leak" if you have one?
> 
> To clarify what triggered me is your tie of this as an exploit and
> quoting CVEs. Maybe not so much net vs net-next.

There may be a misunderstanding here. I didn't write such a side-channel
exploit here and as you point out, this is not an easy and worthy task.
(but If you are asking the exploit for CVE-2023-3773, I will inform you
 when it is send to oss-security)

Anyway, I believe you are right. Given the fact that I ignore the
difficulty of this exploitation, such a bug rather than a vulnerability
should go to net-next instead of net. 

Shall I add any tag from you like Suggested or Reviewed?

> cheers,
> jamal
> 

Thanks
Lin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ