nf_conntrack: Infoleak via CTA_ID and CTA_EXPECT_ID
From: Richard Weinberger
Date: Fri Jun 30 2017 - 15:25:32 EST
Hi!
I noticed that nf_conntrack leaks kernel addresses, it uses the memory address
as identifier used for generating conntrack and expect ids..
Since these ids are also visible to unprivileged users via network namespaces
I suggest reverting these commits:
commit 7f85f914721ffcef382a57995182916bd43d8a65
Author: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri Sep 28 14:41:27 2007 -0700
[NETFILTER]: nf_conntrack: kill unique ID
Remove the per-conntrack ID, its not necessary anymore for dumping.
For compatiblity reasons we send the address of the conntrack to
userspace as ID.
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
commit 3583240249ef354760e04ae49bd7b462a638f40c
Author: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri Sep 28 14:41:50 2007 -0700
[NETFILTER]: nf_conntrack_expect: kill unique ID
Similar to the conntrack ID, the per-expectation ID is not needed
anymore, kill it.
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Thanks,
//richard