nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID

From: Richard Weinberger
Date: Fri Jun 30 2017 - 15:25:32 EST

Next message: tip-bot for Vikas Shivappa: "[tip:x86/urgent] x86/intel_rdt: Fix memory leak on mount failure"
Previous message: Arnd Bergmann: "Re: [PATCH] [net-next] net/mlx5: include wq.o in non-ethernet build for FPGA"
Next in thread: Florian Westphal: "Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

I noticed that nf_conntrack leaks kernel addresses, it uses the memory address
as identifier used for generating conntrack and expect ids..
Since these ids are also visible to unprivileged users via network namespaces
I suggest reverting these commits:

commit 7f85f914721ffcef382a57995182916bd43d8a65
Author: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri Sep 28 14:41:27 2007 -0700

[NETFILTER]: nf_conntrack: kill unique ID

Remove the per-conntrack ID, its not necessary anymore for dumping.
For compatiblity reasons we send the address of the conntrack to
userspace as ID.

Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

commit 3583240249ef354760e04ae49bd7b462a638f40c
Author: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri Sep 28 14:41:50 2007 -0700

[NETFILTER]: nf_conntrack_expect: kill unique ID

Similar to the conntrack ID, the per-expectation ID is not needed
anymore, kill it.

Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

Thanks,
//richard

Next message: tip-bot for Vikas Shivappa: "[tip:x86/urgent] x86/intel_rdt: Fix memory leak on mount failure"
Previous message: Arnd Bergmann: "Re: [PATCH] [net-next] net/mlx5: include wq.o in non-ethernet build for FPGA"
Next in thread: Florian Westphal: "Re: nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]