lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 13 Apr 2015 17:09:20 +0200
From:	Sebastian Poehn <sebastian.poehn@...il.com>
To:	Sebastian Poehn <sebastian.poehn@...il.com>
Cc:	Eric Dumazet <eric.dumazet@...il.com>, netdev@...r.kernel.org,
	David Miller <davem@...emloft.net>,
	Florian Westphal <fw@...len.de>
Subject: Re: [FYI] xfrm: Don't lookup sk_policy for timewait sockets

On Mon, 2015-04-13 at 10:04 +0200, Sebastian Poehn wrote:
> 
> Played around with sending crafted packets to a transparent tw socket.
> 
> For SYN tproxy does the re-lookup of the listening socket, which is fine. But for
> packets without SYN is assigns the tw socket. However this is not an issue as the
> fw mark is set, policy routing processes frame, so it becomes input and finally is
> dropped in TCP receive path. But if I remove the policy routing rule the frame
> enters the forwarding path.
> 
> Unfortunately this did not trigger the panic but this may be just by chance.
> 
> However I can't explain what is wrong with the ip rule maybe setup related.
> 
First of all: This issue will only happen if there is something screwed up with 
policy routing. We don't use any 'exotic' policy to match the TPROXY traffic nor
is there anything that could damage the mark.

ip rule add from all fwmark 0x1/0x1 lookup X

However it happens - maybe a race with configuration.

I found TPROXY behavior correct:
1) For SYN on tw socket it assigns listening socket
2) Otherwise tw socket is assigned with is required for protocol conformity

Principally the problem is that TPROXY cannot ensure that policy routing is
working correctly. Florian suggested me to clean skb->sk in ip_forward. I even think
dropping the frame is fine. Not sure if this is suited for mainline.

diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 939992c..2fc3b3e 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -82,6 +82,10 @@ int ip_forward(struct sk_buff *skb)
 	if (skb->pkt_type != PACKET_HOST)
 		goto drop;
 
+	/* this should happen neither */
+	if (unlikely(skb->sk))
+		goto drop;
+
 	if (skb_warn_if_lro(skb))
 		goto drop;
 		
Signed-off-by: Sebastian Poehn <sebastian.poehn@...il.com> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ