On Tue, Oct 10, 2023 at 1:32 PM Christian Theune ct@flyingcircus.io wrote:
Hi,
On 10. Oct 2023, at 17:02, Jamal Hadi Salim jhs@mojatatu.com wrote:
This is a tough one - as it stands right now we dont see a good way out. It's either "exploitable by root / userns" or break uapi. Christian - can you send your "working" scripts, simplified if possible, and we'll take a look.
Sure, what kind of simplification are we talking about? Something like this?
#### snip #!/bin/bash modprobe ifb modprobe act_mirred
uplink=eth0 uplink_ingress=ifb0
tc qdisc add dev $uplink handle ffff: ingress ifconfig $uplink up
tc filter add dev $uplink parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $uplink_ingress
tc qdisc add dev $uplink_ingress root handle 1: hfsc default 1 tc class add dev $uplink_ingress parent 1: classid 1:999 hfsc rt m2 2.5gbit tc class add dev $uplink_ingress parent 1:999 classid 1:1 hfsc sc rate 50mbit #### snap
This should provoke the error reliably. You might need to point it at whatever network interface is available but need to be prepared to loose connectivity.
Ok - thanks, we'll look at this from the perspective of both ensuring UAF is gone and making your config happy. TBH, in my view UAF comes first but we can debate that later.
cheers, jamal
Christian
Liebe Grüße, Christian Theune
-- Christian Theune · ct@flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick