| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251126195244.88124-5-xiyou.wangcong@gmail.com>
Date: Wed, 26 Nov 2025 11:52:39 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: netdev@...r.kernel.org
Cc: stephen@...workplumber.org,
kuba@...nel.org,
Cong Wang <cwang@...tikernel.io>
Subject: [Patch net v5 4/9] net_sched: Prevent using netem duplication in non-initial user namespace
From: Cong Wang <cwang@...tikernel.io>
The netem qdisc has a known security issue with packet duplication
that makes it unsafe to use in unprivileged contexts. While netem
typically requires CAP_NET_ADMIN to load, users with "root" privileges
inside a user namespace also have CAP_NET_ADMIN within that namespace,
allowing them to potentially exploit this feature.
To address this, we need to restrict the netem duplication to only the
initial user namespace.
Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
Signed-off-by: Cong Wang <cwang@...tikernel.io>
---
net/sched/sch_netem.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 191f64bd68ff..f87b862c769a 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -991,6 +991,12 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
int ret;
qopt = nla_data(opt);
+
+ if (dev_net(qdisc_dev(sch))->user_ns != &init_user_ns && qopt->duplicate) {
+ NL_SET_ERR_MSG(extack, "Duplication is not allowed in unprivileged namespaces");
+ return -EINVAL;
+ }
+
ret = parse_attr(tb, TCA_NETEM_MAX, opt, netem_policy, sizeof(*qopt));
if (ret < 0)
return ret;
--
2.34.1
Powered by blists - more mailing lists