Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
References: <20190409065612.32652-1-rdong.ge@gmail.com> <20190422083339.ptkxqb66pombgy5g@salvia>
 <CAN1Lvyo1CVopsB7iV=e-dAN9JDFg-SmQ8g6H6RrgD7qACAd4hQ@mail.gmail.com>
 <20190422093502.36da6z3qf7zxpwny@breakpoint.cc> <CAN1LvyrSWPbNSvzLquQAeK9kYK=YyqyJEm7zodd3O-QWAVTC4Q@mail.gmail.com>
In-Reply-To: <CAN1LvyrSWPbNSvzLquQAeK9kYK=YyqyJEm7zodd3O-QWAVTC4Q@mail.gmail.com>
From:   Rundong Ge <rdong.ge@gmail.com>
Date:   Mon, 22 Apr 2019 18:10:06 +0800
Message-ID: <CAN1Lvyq_6ee3Rwmg8VKR0NW54HABqL9n4L2Tiw9YXs=pSu9sYw@mail.gmail.com>
Subject: Re: [PATCH] netfilter: fix dangling pointer access of fake_rtable
To:     Florian Westphal <fw@strlen.de>
Cc:     Pablo Neira Ayuso <pablo@netfilter.org>, kadlec@blackhole.kfki.hu,
        Roopa Prabhu <roopa@cumulusnetworks.com>, davem@davemloft.net,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

The hook in my testcase is at NF_BR_FORWARD, and priority is -2.
And at this hook point both the entry->out  and entry->in  are not
bridge device.
But the dst was set to the bridge's fake_rtable.

Rundong Ge <rdong.ge@gmail.com> =E4=BA=8E2019=E5=B9=B44=E6=9C=8822=E6=97=A5=
=E5=91=A8=E4=B8=80 =E4=B8=8B=E5=8D=885:51=E5=86=99=E9=81=93=EF=BC=9A
>
> skb->dev is munged in setup_prerouting() to be bridge or vlan device on
> top of bridge.
> --Yes, but  br_nf_pre_routing_finish will set the skb->dev back to the ph=
yindev.
>
> Florian Westphal <fw@strlen.de> =E4=BA=8E2019=E5=B9=B44=E6=9C=8822=E6=97=
=A5=E5=91=A8=E4=B8=80 =E4=B8=8B=E5=8D=885:35=E5=86=99=E9=81=93=EF=BC=9A
> >
> > Rundong Ge <rdong.ge@gmail.com> wrote:
> > > br_nf_pre_routing will call the NF_INET_PRE_ROUTING hooks, at this
> > > time both entry->state.in and entry->state.out are not bridge device.
> > >
> > > NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb=
,
> > > skb->dev, NULL,
> > > br_nf_pre_routing_finish);
> >
> > skb->dev is munged in setup_prerouting() to be bridge or vlan device on
> > top of bridge.
> >
> > That being said, I think we need this fix at least:
> >
> > diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
> > --- a/net/netfilter/nf_queue.c
> > +++ b/net/netfilter/nf_queue.c
> > @@ -197,8 +197,15 @@ static int __nf_queue(struct sk_buff *skb, const s=
truct nf_hook_state *state,
> >                 .size   =3D sizeof(*entry) + route_key_size,
> >         };
> >
> > +       if (skb_dst(skb)) {
> > +               skb_dst_force(skb);
> > +               if (!skb_dst(skb)) {
> > +                       status =3D -EHOSTUNREACH;
> > +                       goto err;
> > +               }
> > +       }
> > +
> >         nf_queue_entry_get_refs(entry);
> > -       skb_dst_force(skb);
> >
> >         switch (entry->state.pf) {
> >         case AF_INET:
> >
> >
> > Then, why not add, in dev_cmp:
> >
> >         dst =3D skb_dst(skb);
> >         if (dst && dst->dev->index =3D=3D index ...
> >
> > ?