netfilter: bridge: replace physindev with physinif in nf_bridge_info

PlaidCat · PlaidCat · commit 533da7fa4548 · 2025-06-06T13:32:47.000-04:00
jira LE-3201 cve CVE-2024-35839 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10 commit-author Pavel Tikhomirov <ptikhomirov@virtuozzo.com> commit 9874808 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/98748088.failed An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb. Fixes: c4e70a8 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 9874808) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bridge/br_netfilter_hooks.c
diff --git a/ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/98748088.failed b/ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/98748088.failed
@@ -0,0 +1,229 @@
+netfilter: bridge: replace physindev with physinif in nf_bridge_info
+
+jira LE-3201
+cve CVE-2024-35839
+Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10
+commit-author Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+commit 9874808878d9eed407e3977fd11fee49de1e1d86
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/98748088.failed
+
+An skb can be added to a neigh->arp_queue while waiting for an arp
+reply. Where original skb's skb->dev can be different to neigh's
+neigh->dev. For instance in case of bridging dnated skb from one veth to
+another, the skb would be added to a neigh->arp_queue of the bridge.
+
+As skb->dev can be reset back to nf_bridge->physindev and used, and as
+there is no explicit mechanism that prevents this physindev from been
+freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
+different device's neigh queue) we can crash on e.g. this stack:
+
+arp_process
+  neigh_update
+    skb = __skb_dequeue(&neigh->arp_queue)
+      neigh_resolve_output(..., skb)
+        ...
+          br_nf_dev_xmit
+            br_nf_pre_routing_finish_bridge_slow
+              skb->dev = nf_bridge->physindev
+              br_handle_frame_finish
+
+Let's use plain ifindex instead of net_device link. To peek into the
+original net_device we will use dev_get_by_index_rcu(). Thus either we
+get device and are safe to use it or we don't get it and drop skb.
+
+Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
+	Suggested-by: Florian Westphal <fw@strlen.de>
+	Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 9874808878d9eed407e3977fd11fee49de1e1d86)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/bridge/br_netfilter_hooks.c
+diff --cc net/bridge/br_netfilter_hooks.c
+index 3935e9c04e6c,ed1720890757..000000000000
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@@ -276,9 -277,19 +276,23 @@@ int br_nf_pre_routing_finish_bridge(str
+  		struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+  		int ret;
+  
+++<<<<<<< HEAD
+ +		if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) {
+++=======
++ 		if ((READ_ONCE(neigh->nud_state) & NUD_CONNECTED) &&
++ 		    READ_ONCE(neigh->hh.hh_len)) {
++ 			struct net_device *br_indev;
++ 
++ 			br_indev = nf_bridge_get_physindev(skb, net);
++ 			if (!br_indev) {
++ 				neigh_release(neigh);
++ 				goto free_skb;
++ 			}
++ 
+++>>>>>>> 9874808878d9 (netfilter: bridge: replace physindev with physinif in nf_bridge_info)
+  			neigh_hh_bridge(&neigh->hh, skb);
+- 			skb->dev = nf_bridge->physindev;
++ 			skb->dev = br_indev;
++ 
+  			ret = br_handle_frame_finish(net, sk, skb);
+  		} else {
+  			/* the neighbour function below overwrites the complete
+@@@ -450,8 -471,8 +470,13 @@@ struct net_device *setup_pre_routing(st
+  	}
+  
+  	nf_bridge->in_prerouting = 1;
+++<<<<<<< HEAD
+ +	nf_bridge->physindev = skb->dev;
+ +	skb->dev = brnf_get_logical_dev(skb, skb->dev);
+++=======
++ 	nf_bridge->physinif = skb->dev->ifindex;
++ 	skb->dev = brnf_get_logical_dev(skb, skb->dev, net);
+++>>>>>>> 9874808878d9 (netfilter: bridge: replace physindev with physinif in nf_bridge_info)
+  
+  	if (skb->protocol == htons(ETH_P_8021Q))
+  		nf_bridge->orig_proto = BRNF_PROTO_8021Q;
+diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
+index 25bf5871117c..515a4257bc51 100644
+--- a/include/linux/netfilter_bridge.h
++++ b/include/linux/netfilter_bridge.h
+@@ -35,7 +35,7 @@ static inline int nf_bridge_get_physinif(const struct sk_buff *skb)
+ 	if (!nf_bridge)
+ 		return 0;
+ 
+-	return nf_bridge->physindev ? nf_bridge->physindev->ifindex : 0;
++	return nf_bridge->physinif;
+ }
+ 
+ static inline int nf_bridge_get_physoutif(const struct sk_buff *skb)
+@@ -53,7 +53,7 @@ nf_bridge_get_physindev(const struct sk_buff *skb, struct net *net)
+ {
+ 	const struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+ 
+-	return nf_bridge ? nf_bridge->physindev : NULL;
++	return nf_bridge ? dev_get_by_index_rcu(net, nf_bridge->physinif) : NULL;
+ }
+ 
+ static inline struct net_device *
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 6ca0c724a047..d920a4cb5f3f 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -268,7 +268,7 @@ struct nf_bridge_info {
+ 	u8			in_prerouting:1;
+ 	u8			bridged_dnat:1;
+ 	__u16			frag_max_size;
+-	struct net_device	*physindev;
++	int			physinif;
+ 
+ 	/* always valid & non-NULL from FORWARD on, for physdev match */
+ 	struct net_device	*physoutdev;
+* Unmerged path net/bridge/br_netfilter_hooks.c
+diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
+index bec1423ac60f..2464e8134cfb 100644
+--- a/net/bridge/br_netfilter_ipv6.c
++++ b/net/bridge/br_netfilter_ipv6.c
+@@ -161,9 +161,15 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
+ {
+ 	struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+ 	struct rtable *rt;
+-	struct net_device *dev = skb->dev;
++	struct net_device *dev = skb->dev, *br_indev;
+ 	const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
+ 
++	br_indev = nf_bridge_get_physindev(skb, net);
++	if (!br_indev) {
++		kfree_skb(skb);
++		return 0;
++	}
++
+ 	nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
+ 
+ 	if (nf_bridge->pkt_otherhost) {
+@@ -181,7 +187,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
+ 		}
+ 
+ 		if (skb_dst(skb)->dev == dev) {
+-			skb->dev = nf_bridge->physindev;
++			skb->dev = br_indev;
+ 			nf_bridge_update_protocol(skb);
+ 			nf_bridge_push_encap_header(skb);
+ 			br_nf_hook_thresh(NF_BR_PRE_ROUTING,
+@@ -192,7 +198,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
+ 		ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
+ 		skb->pkt_type = PACKET_HOST;
+ 	} else {
+-		rt = bridge_parent_rtable(nf_bridge->physindev);
++		rt = bridge_parent_rtable(br_indev);
+ 		if (!rt) {
+ 			kfree_skb(skb);
+ 			return 0;
+@@ -201,7 +207,7 @@ static int br_nf_pre_routing_finish_ipv6(struct net *net, struct sock *sk, struc
+ 		skb_dst_set_noref(skb, &rt->dst);
+ 	}
+ 
+-	skb->dev = nf_bridge->physindev;
++	skb->dev = br_indev;
+ 	nf_bridge_update_protocol(skb);
+ 	nf_bridge_push_encap_header(skb);
+ 	br_nf_hook_thresh(NF_BR_PRE_ROUTING, net, sk, skb,
+diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
+index b74e5f5104aa..afb60a7aa62a 100644
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -102,7 +102,6 @@ EXPORT_SYMBOL_GPL(nf_reject_ip_tcphdr_put);
+ /* Send RST reply */
+ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
+ {
+-	struct net_device *br_indev __maybe_unused;
+ 	struct sk_buff *nskb;
+ 	struct iphdr *niph;
+ 	const struct tcphdr *oth;
+@@ -148,9 +147,13 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
+ 	 * build the eth header using the original destination's MAC as the
+ 	 * source, and send the RST packet directly.
+ 	 */
+-	br_indev = nf_bridge_get_physindev(oldskb, net);
+-	if (br_indev) {
++	if (nf_bridge_info_exists(oldskb)) {
+ 		struct ethhdr *oeth = eth_hdr(oldskb);
++		struct net_device *br_indev;
++
++		br_indev = nf_bridge_get_physindev(oldskb, net);
++		if (!br_indev)
++			goto free_nskb;
+ 
+ 		nskb->dev = br_indev;
+ 		niph->tot_len = htons(nskb->len);
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index e0b2657c18b3..b4fffbe4d5cc 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -131,7 +131,6 @@ EXPORT_SYMBOL_GPL(nf_reject_ip6_tcphdr_put);
+ 
+ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
+ {
+-	struct net_device *br_indev __maybe_unused;
+ 	struct sk_buff *nskb;
+ 	struct tcphdr _otcph;
+ 	const struct tcphdr *otcph;
+@@ -198,9 +197,15 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
+ 	 * build the eth header using the original destination's MAC as the
+ 	 * source, and send the RST packet directly.
+ 	 */
+-	br_indev = nf_bridge_get_physindev(oldskb, net);
+-	if (br_indev) {
++	if (nf_bridge_info_exists(oldskb)) {
+ 		struct ethhdr *oeth = eth_hdr(oldskb);
++		struct net_device *br_indev;
++
++		br_indev = nf_bridge_get_physindev(oldskb, net);
++		if (!br_indev) {
++			kfree_skb(nskb);
++			return;
++		}
+ 
+ 		nskb->dev = br_indev;
+ 		nskb->protocol = htons(ETH_P_IPV6);
