CVE-2024-27018

In the Linux kernel, the following vulnerability has been resolved:

netfilter: br_netfilter: skip conntrack input hook for promisc packets

For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets.

Jianbo Liu reports warning splats in their test infrastructure where cloned packets reach the br_netfilter input hook to confirm the conntrack object.

Scratch one bit from BRINPUTSKB_CB to annotate that this packet has reached the input hook because it is passed up to the bridge device to reach the taps.

[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/brnetfilterhooks.c:616 brnflocalin+0x157/0x180 [brnetfilter] [ 57.572749] Modules linked in: xtMASQUERADE nfconntracknetlink nfnetlink iptablenat xtaddrtype xtconntrack nfnat brnetfilter rpcsecgsskrb5 authrpcgss oidregistry overlay rpcrdma rdmaucm ibiser libiscsi scsitransportisc si ibumad rdmacm ibipoib iwcm ibcm mlx5ib ibuverbs ibcore mlx5ctl mlx5core [ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19 [ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 57.576662] RIP: 0010:brnflocalin+0x157/0x180 [br_netfilter] [ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1 [ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202 [ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000 [ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000 [ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003 [ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000 [ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800 [ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000 [ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0 [ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 57.585440] Call Trace: [ 57.585721] <IRQ> [ 57.585976] ? __warn+0x7d/0x130 [ 57.586323] ? brnflocalin+0x157/0x180 [brnetfilter] [ 57.586811] ? reportbug+0xf1/0x1c0 [ 57.587177] ? handlebug+0x3f/0x70 [ 57.587539] ? excinvalidop+0x13/0x60 [ 57.587929] ? asmexcinvalidop+0x16/0x20 [ 57.588336] ? brnflocalin+0x157/0x180 [brnetfilter] [ 57.588825] nfhookslow+0x3d/0xd0 [ 57.589188] ? brhandlevlan+0x4b/0x110 [ 57.589579] brpassframeup+0xfc/0x150 [ 57.589970] ? brportflagschange+0x40/0x40 [ 57.590396] brhandleframefinish+0x346/0x5e0 [ 57.590837] ? iptdotable+0x32e/0x430 [ 57.591221] ? brhandlelocalfinish+0x20/0x20 [ 57.591656] brnfhookthresh+0x4b/0xf0 [brnetfilter] [ 57.592286] ? brhandlelocalfinish+0x20/0x20 [ 57.592802] brnfpreroutingfinish+0x178/0x480 [brnetfilter] [ 57.593348] ? brhandlelocalfinish+0x20/0x20 [ 57.593782] ? nfnatipv4prerouting+0x25/0x60 [nfnat] [ 57.594279] brnfprerouting+0x24c/0x550 [brnetfilter] [ 57.594780] ? brnfhookthresh+0xf0/0xf0 [brnetfilter] [ 57.595280] brhandleframe+0x1f3/0x3d0 [ 57.595676] ? brhandlelocalfinish+0x20/0x20 [ 57.596118] ? brhandleframe_finish+0x5e0/0x5e0 [ 57.596566] __netifreceiveskb_core+0x25b/0xfc0 [ 57.597017] ? __napibuildskb+0x37/0x40 [ 57.597418] __netifreceiveskblistcore+0xfb/0x220