From: Sabrina Dubroca <sd@queasysnail.net>
To: Jianbo Liu <jianbol@nvidia.com>
Cc: Tariq Toukan <tariqt@nvidia.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
netdev@vger.kernel.org, Saeed Mahameed <saeedm@nvidia.com>,
Gal Pressman <gal@nvidia.com>,
Leon Romanovsky <leonro@nvidia.com>,
Patrisious Haddad <phaddad@nvidia.com>, Chris Mi <cmi@nvidia.com>
Subject: Re: [PATCH net] macsec: Fix use-after-free while sending the offloading packet
Date: Tue, 15 Oct 2024 16:56:30 +0200 [thread overview]
Message-ID: <Zw6CntwUyqM6CivS@hog> (raw)
In-Reply-To: <ded4f325-e83d-4b34-b96c-656fc3c0845f@nvidia.com>
2024-10-15, 21:46:26 +0800, Jianbo Liu wrote:
>
>
> On 10/15/2024 6:28 PM, Sabrina Dubroca wrote:
> > 2024-10-15, 17:57:59 +0800, Jianbo Liu wrote:
> > >
> > >
> > > On 10/15/2024 4:56 PM, Sabrina Dubroca wrote:
> > > > 2024-10-14, 12:07:20 +0300, Tariq Toukan wrote:
> > > > > From: Jianbo Liu <jianbol@nvidia.com>
> > > > >
> > > > > KASAN reports the following UAF. The metadata_dst, which is used to
> > > > > store the SCI value for macsec offload, is already freed by
> > > > > metadata_dst_free() in macsec_free_netdev(), while driver still use it
> > > > > for sending the packet.
> > > > >
> > > > > To fix this issue, dst_release() is used instead to release
> > > > > metadata_dst. So it is not freed instantly in macsec_free_netdev() if
> > > > > still referenced by skb.
> > > >
> > > > Ok. Then that packet is going to get dropped when it reaches the
> > > > driver, right? At this point the TXSA we need shouldn't be configured
> > >
> > > I think so because dst's output should be updated.
> >
> > What updates the dst when we're deleting the macsec device? And this
> > is just a metadata_dst, it's only useful to hold the SCI.
> >
>
> You are right. It's not updated.
>
> > But I guess we would have the same issue when the macsec device still
> > exists but the TXSA is gone, so hopefully this is handled well by all
> > drivers.
> >
>
> And for now, I'd rather focus on fixing the kernel crash caused by UAF.
Ok, but please take a look at it very soon. Sending packets
unencrypted when they should be encrypted can be just as bad as
crashing the system.
--
Sabrina
prev parent reply other threads:[~2024-10-15 14:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-14 9:07 [PATCH net] macsec: Fix use-after-free while sending the offloading packet Tariq Toukan
2024-10-15 8:56 ` Sabrina Dubroca
2024-10-15 9:57 ` Jianbo Liu
2024-10-15 10:28 ` Sabrina Dubroca
2024-10-15 13:46 ` Jianbo Liu
2024-10-15 14:56 ` Sabrina Dubroca [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zw6CntwUyqM6CivS@hog \
--to=sd@queasysnail.net \
--cc=cmi@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gal@nvidia.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=leonro@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phaddad@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.