kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (!4537) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Florian Westphal requested to merge fwestpha/centos-stream-9-fw:issue37040 into main Jun 24, 2024

JIRA: https://issues.redhat.com/browse/RHEL-37040 JIRA: https://issues.redhat.com/browse/RHEL-37041 CVE: CVE-2024-35839

nf_bridge->physindev stores dev pointer without holding reference, so if skb gets queued somewhere and device disappears further access results in UaF.

Store device ifindex instead and re-lookup, its less intrusive and error prone than adding refcounting.

Signed-off-by: Florian Westphal fwestpha@redhat.com

Edited Jun 24, 2024 by Florian Westphal

kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info

Merge request reports