From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
Martin Zaharinov <micron10@gmail.com>,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: Bug URGENT Report with new kernel 5.5.10-5.6-rc6
Date: Thu, 19 Mar 2020 11:52:48 +0100 [thread overview]
Message-ID: <20200319105248.GP979@breakpoint.cc> (raw)
In-Reply-To: <20200319104750.x2zz7negjbm6lwch@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Mar 19, 2020 at 11:34:38AM +0100, Florian Westphal wrote:
> > Martin Zaharinov <micron10@gmail.com> wrote:
> >
> > [ trimming CC ]
> >
> > Please revert
> >
> > commit 28f8bfd1ac948403ebd5c8070ae1e25421560059
> > netfilter: Support iif matches in POSTROUTING
>
> Please, specify a short description to append to the revert.
TCP makes use of the rb_node in sk_buff for its retransmit queue,
amongst others. skb->dev aliases to this storage, i.e., passing
skb->dev as the input interface in postrouting may point to another
sk_buff instead.
This will cause crashes and data corruption with nf_queue, as we will
attempt to increment a random pcpu variable when calling dev_hold().
Also, the memory address may also be free'd, which gives UAF splat.
next prev parent reply other threads:[~2020-03-19 10:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CALidq=XsQy66n-pTMOMN=B7nEsk7BpRZnUHery5RJyjnMsiXZQ@mail.gmail.com>
[not found] ` <CALidq=VVpixeJFJFkUSeDqTW=OX0+dhA04ypE=y949B+Aqaq0w@mail.gmail.com>
[not found] ` <CALidq=UXHz+rjiG5JxAz-CJ1mKsFLVupsH3W+z58L2nSPKE-7w@mail.gmail.com>
2020-03-18 23:38 ` Bug URGENT Report with new kernel 5.5.10-5.6-rc6 Stefano Brivio
[not found] ` <CALidq=Xow0EkAP4LkqvQiDOmVDduEwLKa4c-A54or3GMj6+qVw@mail.gmail.com>
2020-03-19 10:34 ` Florian Westphal
2020-03-19 10:47 ` Pablo Neira Ayuso
2020-03-19 10:52 ` Florian Westphal [this message]
2020-03-19 16:40 ` Eric Dumazet
2020-03-19 16:45 ` Eric Dumazet
[not found] ` <CALidq=VJuhEPO-FWOuUdSG+-VO+h7VHfmtQiAxikxH+vMB+vdQ@mail.gmail.com>
[not found] ` <CALidq=Wq3FaGPbbjDvcjvw3V=yPWNMPDeFFy-bDL6fffdjb2rw@mail.gmail.com>
[not found] ` <CALidq=VYSt3WbtapwL-n8cG71=ysYDJTo3L---xj4U1rEC63KQ@mail.gmail.com>
2020-03-24 13:18 ` Florian Westphal
[not found] ` <CALidq=WBGwMWZeK95WpunO=+yiCo=iFFijXmjQdOMKxj7-XC1A@mail.gmail.com>
[not found] ` <CALidq=X1fVQgr1CFNqswNK=me42aYtrqp8cmbFO63ekimn4O-g@mail.gmail.com>
2020-03-25 15:22 ` Florian Westphal
2020-03-25 15:38 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200319105248.GP979@breakpoint.cc \
--to=fw@strlen.de \
--cc=micron10@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.