| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <80706fff-ca22-45f5-ac0b-ff84e1ba6a8b@huawei.com>
Date: Thu, 21 Aug 2025 09:56:27 +0800
From: Wang Liang <wangliang74@...wei.com>
To: Florian Westphal <fw@...len.de>
CC: <pablo@...filter.org>, <kadlec@...filter.org>, <razor@...ckwall.org>,
<idosch@...dia.com>, <davem@...emloft.net>, <edumazet@...gle.com>,
<kuba@...nel.org>, <pabeni@...hat.com>, <horms@...nel.org>,
<yuehaibing@...wei.com>, <zhangchangzhong@...wei.com>,
<netfilter-devel@...r.kernel.org>, <coreteam@...filter.org>,
<bridge@...ts.linux.dev>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] netfilter: br_netfilter: reread nf_conn from skb
after confirm()
在 2025/8/20 19:31, Florian Westphal 写道:
> Wang Liang <wangliang74@...wei.com> wrote:
>> Previous commit 2d72afb34065 ("netfilter: nf_conntrack: fix crash due to
>> removal of uninitialised entry") move the IPS_CONFIRMED assignment after
>> the hash table insertion.
> How is that related to this change?
> As you write below, the bug came in with 62e7151ae3eb.
Before the commit 2d72afb34065, __nf_conntrack_confirm() set
'ct->status |= IPS_CONFIRMED;' before check hash, the warning will not
happen, so I put it here.
As you say, the bug came in with 62e7151ae3eb. I will delete this paragraph
in next patch.
>> To solve the hash conflict, nf_ct_resolve_clash() try to merge the
>> conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
>> old ct from local variable 'nfct' after confirm(), which leads to this
>> issue. Fix it by rereading nfct from skb.
>>
>> Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
>> Signed-off-by: Wang Liang <wangliang74@...wei.com>
>> ---
>> net/bridge/br_netfilter_hooks.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
>> index 94cbe967d1c1..55b1b7dcb609 100644
>> --- a/net/bridge/br_netfilter_hooks.c
>> +++ b/net/bridge/br_netfilter_hooks.c
>> @@ -626,6 +626,7 @@ static unsigned int br_nf_local_in(void *priv,
>> break;
>> }
>>
>> + nfct = skb_nfct(skb);
>> ct = container_of(nfct, struct nf_conn, ct_general);
>> WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
> There is a second bug here, confirm can return NF_DROP and
> nfct will be NULL.
Thanks for your suggestion!
Do you mean that ct may be deleted in confirm and return NF_DROP, so we can
not visit it in br_nf_local_in() and need to add 'case NF_DROP:' here?
I cannot find somewhere set skb->_nfct to NULL and return NF_DROP. Can you
give some hints?
------
Best regards
Wang Liang
>
> Can you make this change too? (or something similar)?
>
> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> index 94cbe967d1c1..69b7b7c7565e 100644
> --- a/net/bridge/br_netfilter_hooks.c
> +++ b/net/bridge/br_netfilter_hooks.c
> @@ -619,8 +619,9 @@ static unsigned int br_nf_local_in(void *priv,
> nf_bridge_pull_encap_header(skb);
> ret = ct_hook->confirm(skb);
> switch (ret & NF_VERDICT_MASK) {
> + case NF_DROP:
> case NF_STOLEN:
> - return NF_STOLEN;
> + return ret;
>
>
> nfct reload seems correct, thanks for catching this.
Powered by blists - more mailing lists