lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 5 Jul 2024 11:35:25 +0200
From: Florian Westphal <fw@...len.de>
To: Michal Kubiak <michal.kubiak@...el.com>
Cc: Chengen Du <chengen.du@...onical.com>, jhs@...atatu.com,
	xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net,
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
	ozsh@...dia.com, paulb@...dia.com, marcelo.leitner@...il.com,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	Gerald Yang <gerald.yang@...onical.com>
Subject: Re: [PATCH net v2] net/sched: Fix UAF when resolving a clash

Michal Kubiak <michal.kubiak@...el.com> wrote:
> On Fri, Jul 05, 2024 at 10:50:56AM +0800, Chengen Du wrote:
> The ct may be dropped if a clash has been resolved but is still passed to
> > the tcf_ct_flow_table_process_conn function for further usage. This issue
> > can be fixed by retrieving ct from skb again after confirming conntrack.

Right, ct can be stale after confirm.

> > diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> > index 2a96d9c1db65..6f41796115e3 100644
> > --- a/net/sched/act_ct.c
> > +++ b/net/sched/act_ct.c
> > @@ -1077,6 +1077,14 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
> >  		 */
> >  		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
> >  			goto drop;
> > +
> > +		/* The ct may be dropped if a clash has been resolved,
> > +		 * so it's necessary to retrieve it from skb again to
> > +		 * prevent UAF.
> > +		 */
> > +		ct = nf_ct_get(skb, &ctinfo);
> > +		if (!ct)
> > +			goto drop;
> 
> After taking a closer look at this change, I have a question: Why do we
> need to change an action returned by "nf_conntrack_confirm()"
> (NF_ACCEPT) and actually perform the flow for NF_DROP?
>
> From the commit message I understand that you only want to prevent
> calling "tcf_ct_flow_table_process_conn()". But for such reason we have
> a bool variable: "skip_add".
> Shouldn't we just set "skip_add" to true to prevent the UAF?
> Would the following example code make sense in this case?
> 
> 	ct = nf_ct_get(skb, &ctinfo);
> 	if (!ct)
> 		skip_add = true;

It depends on what tc wants do to here.

For netfilter, the skb is not dropped and continues passing
through the stack. Its up to user to decide what to do with it,
e.g. doing "ct state invalid drop".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ