From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Florian Westphal <fw@strlen.de>, David Ahern <dsahern@kernel.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Kees Cook <keescook@chromium.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Roopa Prabhu <roopa@nvidia.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
bridge@lists.linux.dev, kernel@openvz.org
Subject: Re: [PATCH v3 0/4] netlink: bridge: fix nf_bridge->physindev use after free
Date: Wed, 17 Jan 2024 13:43:48 +0100 [thread overview]
Message-ID: <ZafLhL9U3f/i07BU@calendula> (raw)
In-Reply-To: <20240111150645.85637-1-ptikhomirov@virtuozzo.com>
On Thu, Jan 11, 2024 at 11:06:36PM +0800, Pavel Tikhomirov wrote:
> Code processing skb from neigh->arp_queue can access its
> nf_bridge->physindev, which can already be freed, leading to crash.
>
> So, as Florian suggests, we can put physinif on nf_bridge and peek into
> the original device with dev_get_by_index_rcu(), so that we can be sure
> that device is not freed under us.
>
> This is a second attempt to fix this issue, first attempt:
>
> "neighbour: purge nf_bridged skb from foreign device neigh"
> https://lore.kernel.org/netdev/20240108085232.95437-1-ptikhomirov@virtuozzo.com/
I have applied this series to nf.git
I have added a Fixed: tag sufficiently old to the patch fix so it can
reach -stable at some point.
My understanding is that this problem has been always there for
br_netfilter.
next prev parent reply other threads:[~2024-01-17 12:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-11 15:06 [PATCH v3 0/4] netlink: bridge: fix nf_bridge->physindev use after free Pavel Tikhomirov
2024-01-11 15:06 ` [PATCH v3 1/4] netfilter: nfnetlink_log: use proper helper for fetching physinif Pavel Tikhomirov
2024-01-15 10:51 ` Simon Horman
2024-01-11 15:06 ` [PATCH v3 2/4] netfilter: nf_queue: remove excess nf_bridge variable Pavel Tikhomirov
2024-01-15 10:52 ` Simon Horman
2024-01-11 15:06 ` [PATCH v3 3/4] netfilter: propagate net to nf_bridge_get_physindev Pavel Tikhomirov
2024-01-15 10:52 ` Simon Horman
2024-01-11 15:06 ` [PATCH v3 4/4] netfilter: bridge: replace physindev with physinif in nf_bridge_info Pavel Tikhomirov
2024-01-17 12:43 ` Pablo Neira Ayuso [this message]
2024-01-17 14:15 ` [PATCH v3 0/4] netlink: bridge: fix nf_bridge->physindev use after free Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZafLhL9U3f/i07BU@calendula \
--to=pablo@netfilter.org \
--cc=bridge@lists.linux.dev \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=keescook@chromium.org \
--cc=kernel@openvz.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.