CVE-2024-35839

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: bridge: replace physindev with physinif in nf_bridge_info<br /> <br /> An skb can be added to a neigh-&gt;arp_queue while waiting for an arp<br /> reply. Where original skb&amp;#39;s skb-&gt;dev can be different to neigh&amp;#39;s<br /> neigh-&gt;dev. For instance in case of bridging dnated skb from one veth to<br /> another, the skb would be added to a neigh-&gt;arp_queue of the bridge.<br /> <br /> As skb-&gt;dev can be reset back to nf_bridge-&gt;physindev and used, and as<br /> there is no explicit mechanism that prevents this physindev from been<br /> freed under us (for instance neigh_flush_dev doesn&amp;#39;t cleanup skbs from<br /> different device&amp;#39;s neigh queue) we can crash on e.g. this stack:<br /> <br /> arp_process<br /> neigh_update<br /> skb = __skb_dequeue(&amp;neigh-&gt;arp_queue)<br /> neigh_resolve_output(..., skb)<br /> ...<br /> br_nf_dev_xmit<br /> br_nf_pre_routing_finish_bridge_slow<br /> skb-&gt;dev = nf_bridge-&gt;physindev<br /> br_handle_frame_finish<br /> <br /> Let&amp;#39;s use plain ifindex instead of net_device link. To peek into the<br /> original net_device we will use dev_get_by_index_rcu(). Thus either we<br /> get device and are safe to use it or we don&amp;#39;t get it and drop skb.