lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <93a346087193c57f4df807c478d0f7fc8e7db6aa.camel@redhat.com>
Date: Tue, 13 Feb 2024 12:06:04 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Jamal Hadi Salim <jhs@...atatu.com>, Jakub Kicinski <kuba@...nel.org>
Cc: davem@...emloft.net, netdev@...r.kernel.org, edumazet@...gle.com,
 Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, Davide Caratti
 <dcaratti@...hat.com>, xiyou.wangcong@...il.com,  jiri@...nulli.us,
 shmulik.ladkani@...il.com
Subject: Re: [PATCH net] net/sched: act_mirred: use the backlog for mirred
 ingress

On Mon, 2024-02-12 at 10:11 -0500, Jamal Hadi Salim wrote:
> On Mon, Feb 12, 2024 at 9:51 AM Jamal Hadi Salim <jhs@...atatu.com> wrote:
> > 
> > On Fri, Feb 9, 2024 at 6:54 PM Jakub Kicinski <kuba@...nel.org> wrote:
> > > 
> > > The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog
> > > for nested calls to mirred ingress") hangs our testing VMs every 10 or so
> > > runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by
> > > lockdep.
> > > 
> > > In the past there was a concern that the backlog indirection will
> > > lead to loss of error reporting / less accurate stats. But the current
> > > workaround does not seem to address the issue.
> > > 
> > 
> > Let us run some basic tests on this first - it's a hairy spot. Also,
> 
> Something broke.
> Create a ns. Put one half of veth into the namespace. Create a filter
> inside the net ns.
> at_ns$ tc qdisc add dev port0 ingress_block 21 clsact
> at_ns$ tc filter add block 21 egress protocol ip prio 10 matchall
> action mirred ingress redirect dev port0
> 
> Send a ping from host:
> at_host@ ping 10.0.0.2 -c 1 -I <vethportonhostside>
> 
> And.. hits uaf.... see attached.

It looks like:

netif_receive_skb
run_tc()
	act_mirred	
		netif_receive_skb
			sch_handle_ingress
				act_mirred // nesting limit hit
			// free skb
		// netif_receive_skb returns NET_RX_DROP
	// act_mirred returns TC_ACT_SHOT
// UaF while de-referencing the (freed) skb


No idea how to solve it on top of my mind :(

Cheers,

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ