lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aQuCfmZix1qlbFEZ@shredder>
Date: Wed, 5 Nov 2025 18:59:42 +0200
From: Ido Schimmel <idosch@...dia.com>
To: Nikolay Aleksandrov <razor@...ckwall.org>
Cc: netdev@...r.kernel.org, tobias@...dekranz.com, kuba@...nel.org,
	davem@...emloft.net, bridge@...ts.linux.dev, pabeni@...hat.com,
	edumazet@...gle.com, horms@...nel.org, petrm@...dia.com,
	syzbot+dd280197f0f7ab3917be@...kaller.appspotmail.com
Subject: Re: [PATCH net v2 1/2] net: bridge: fix use-after-free due to MST
 port state bypass

On Wed, Nov 05, 2025 at 01:19:18PM +0200, Nikolay Aleksandrov wrote:
> syzbot reported[1] a use-after-free when deleting an expired fdb. It is
> due to a race condition between learning still happening and a port being
> deleted, after all its fdbs have been flushed. The port's state has been
> toggled to disabled so no learning should happen at that time, but if we
> have MST enabled, it will bypass the port's state, that together with VLAN
> filtering disabled can lead to fdb learning at a time when it shouldn't
> happen while the port is being deleted. VLAN filtering must be disabled
> because we flush the port VLANs when it's being deleted which will stop
> learning. This fix adds a check for the port's vlan group which is
> initialized to NULL when the port is getting deleted, that avoids the port
> state bypass. When MST is enabled there would be a minimal new overhead
> in the fast-path because the port's vlan group pointer is cache-hot.
> 
> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
> 
> Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode")
> Reported-by: syzbot+dd280197f0f7ab3917be@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/69088ffa.050a0220.29fc44.003d.GAE@google.com/
> Signed-off-by: Nikolay Aleksandrov <razor@...ckwall.org>

Reviewed-by: Ido Schimmel <idosch@...dia.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ