netdev - Re: [PATCH net] netfilter: br_netfilter: reread nf

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <aKWyImI9qxi6GDIF@strlen.de>
Date: Wed, 20 Aug 2025 13:31:46 +0200
From: Florian Westphal <fw@...len.de>
To: Wang Liang <wangliang74@...wei.com>
Cc: pablo@...filter.org, kadlec@...filter.org, razor@...ckwall.org,
	idosch@...dia.com, davem@...emloft.net, edumazet@...gle.com,
	kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
	yuehaibing@...wei.com, zhangchangzhong@...wei.com,
	netfilter-devel@...r.kernel.org, coreteam@...filter.org,
	bridge@...ts.linux.dev, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] netfilter: br_netfilter: reread nf_conn from skb
 after confirm()

Wang Liang <wangliang74@...wei.com> wrote:
> Previous commit 2d72afb34065 ("netfilter: nf_conntrack: fix crash due to
> removal of uninitialised entry") move the IPS_CONFIRMED assignment after
> the hash table insertion.

How is that related to this change?
As you write below, the bug came in with 62e7151ae3eb.

> To solve the hash conflict, nf_ct_resolve_clash() try to merge the
> conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
> old ct from local variable 'nfct' after confirm(), which leads to this
> issue. Fix it by rereading nfct from skb.
> 
> Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
> Signed-off-by: Wang Liang <wangliang74@...wei.com>
> ---
>  net/bridge/br_netfilter_hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> index 94cbe967d1c1..55b1b7dcb609 100644
> --- a/net/bridge/br_netfilter_hooks.c
> +++ b/net/bridge/br_netfilter_hooks.c
> @@ -626,6 +626,7 @@ static unsigned int br_nf_local_in(void *priv,
>  		break;
>  	}
>  
> +	nfct = skb_nfct(skb);
>  	ct = container_of(nfct, struct nf_conn, ct_general);
>  	WARN_ON_ONCE(!nf_ct_is_confirmed(ct));

There is a second bug here, confirm can return NF_DROP and
nfct will be NULL.

Can you make this change too? (or something similar)?

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 94cbe967d1c1..69b7b7c7565e 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -619,8 +619,9 @@ static unsigned int br_nf_local_in(void *priv,
        nf_bridge_pull_encap_header(skb);
        ret = ct_hook->confirm(skb);
        switch (ret & NF_VERDICT_MASK) {
+       case NF_DROP:
        case NF_STOLEN:
-               return NF_STOLEN;
+               return ret;


nfct reload seems correct, thanks for catching this.