Bug? Non-privileged processes can in some cases spoof the wrong sending IP

From: Luke Dashjr
Date: Tue Mar 03 2020 - 18:12:20 EST

Next message: shuah: "Re: [PATCH 5.4 000/152] 5.4.24-stable review"
Previous message: Ard Biesheuvel: "Re: [PATCH v2 5/5] efi/x86: Don't relocate the kernel unless necessary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It seems non-privileged processes can bind an IP on one interface, and then
send to addresses not routed through that interface, to spoof that IP on an
unrelated network (eg, the default route).

Shouldn't there be something to prevent this? Presumably it's not expected
behaviour, since you can't just bind to any arbitrary addresses...?

(FWIW I can see cases where this might be considered a security issue, but the
MAINTAINERS file explicitly said address leaks don't count...)

Luke

P.S. I discovered this because Chromium's WebRTC implementation attempts to
send UDP from configured IPv4 address; and then Linux's MASQUERADE also
doesn't check that it have the correct return path, so it tried to NAT my WAN
to my WAN, which resulted in sending out from the origin IP instead of my
own, and triggered my modem to disconnect me. (I guess this scenario is a bit
too convoluted to be considered a general DoS risk)

Next message: shuah: "Re: [PATCH 5.4 000/152] 5.4.24-stable review"
Previous message: Ard Biesheuvel: "Re: [PATCH v2 5/5] efi/x86: Don't relocate the kernel unless necessary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]