From: Florian Westphal <fw@strlen.de>
To: Richard Weinberger <richard@nod.at>
Cc: Florian Westphal <fw@strlen.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
David Miller <davem@davemloft.net>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
David Gstir <david@sigma-star.at>,
kaber@trash.net, "keescook@chromium.org" <keescook@chromium.org>
Subject: Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID
Date: Fri, 30 Jun 2017 21:55:47 +0200 [thread overview]
Message-ID: <20170630195547.GN9307@breakpoint.cc> (raw)
In-Reply-To: <f3d78dc5-7694-8e01-ac4d-54fc248a96f1@nod.at>
Richard Weinberger <richard@nod.at> wrote:
> Florian,
>
> Am 30.06.2017 um 21:35 schrieb Florian Westphal:
> > Richard Weinberger <richard@nod.at> wrote:
> >> Hi!
> >>
> >> I noticed that nf_conntrack leaks kernel addresses, it uses the memory address
> >> as identifier used for generating conntrack and expect ids..
> >> Since these ids are also visible to unprivileged users via network namespaces
> >> I suggest reverting these commits:
> >
> > Why not use a hash of the address?
>
> Would also work. Or xor it with a random number.
>
> On the other hand, for user space it would be more useful when the conntrack id
> does not repeat that often. That's why I favor the good old counter method.
> Currently the conntrack id is reused very fast.
> e.g. in one of our applications we use the conntack id via NFQUEUE and watch the
> destroy events via conntrack. It happens regularly that a new connection has the
> same id than a different connection we saw some moments before, before we receive
> the destroy event from the conntrack socket.
Perhaps we can place that in a new extension (its not needed in any
fastpath ops)?
next prev parent reply other threads:[~2017-06-30 19:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-30 19:25 nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID Richard Weinberger
2017-06-30 19:35 ` Florian Westphal
2017-06-30 19:45 ` Richard Weinberger
2017-06-30 19:55 ` Florian Westphal [this message]
2017-06-30 20:23 ` Richard Weinberger
2017-07-01 9:44 ` Pablo Neira Ayuso
2017-07-01 10:35 ` Florian Westphal
2017-07-12 21:26 ` Richard Weinberger
2017-07-12 22:19 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170630195547.GN9307@breakpoint.cc \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=david@sigma-star.at \
--cc=kaber@trash.net \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).