lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 3 Feb 2010 21:14:57 +0100
From:	"Stefan Lippers-Hollmann" <s.L-H@....de>
To:	gregkh@...e.de
Cc:	linux-kernel@...r.kernel.org, hadi@...erus.ca, davem@...emloft.net,
	stable@...nel.org
Subject: Re: patch net-restore-ip-source-validation.patch added to 2.6.32-stable tree

Hi

On Wednesday 03 February 2010, gregkh@...e.de wrote:
> This is a note to let you know that we have just queued up the patch titled
> 
>     Subject: net: restore ip source validation
> 
> to the 2.6.32-stable tree.  Its filename is
> 
>     net-restore-ip-source-validation.patch
> 
> A git repo of this tree can be found at 
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> 
> From 0813ef21a1a15a3c8b6b98c8ff3ef119f5e242ac Mon Sep 17 00:00:00 2001
> From: Jamal Hadi Salim <hadi@...erus.ca>
> Date: Fri, 25 Dec 2009 17:30:22 -0800
> Subject: net: restore ip source validation
> 
> From: Jamal Hadi Salim <hadi@...erus.ca>
> 
> [ Upstream commit 28f6aeea3f12d37bd258b2c0d5ba891bff4ec479 ]

This patch, as part of the current 2.6.32 stable queue, breaks booting with
an oops very early, before the framebuffer got a chance to initialize 
(unfortunately most of it is cut with the unavoidable vga=0, so I didn't 
write it down yet), on amd64 and i386 (kernel configs attached). Removing
just this patch from queue-2.6.32 fixes the problem for me; kernel 2.6.33 
HEAD doesn't seem to be affected.

Regards
	Stefan Lippers-Hollmann

-- 
> when using policy routing and the skb mark:
> there are cases where a back path validation requires us
> to use a different routing table for src ip validation than
> the one used for mapping ingress dst ip.
> One such a case is transparent proxying where we pretend to be
> the destination system and therefore the local table
> is used for incoming packets but possibly a main table would
> be used on outbound.
> Make the default behavior to allow the above and if users
> need to turn on the symmetry via sysctl src_valid_mark
> 
> Signed-off-by: Jamal Hadi Salim <hadi@...erus.ca>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
> 
> ---
>  include/linux/inetdevice.h |    1 +
>  include/linux/sysctl.h     |    1 +
>  net/ipv4/devinet.c         |    1 +
>  net/ipv4/fib_frontend.c    |    2 ++
>  4 files changed, 5 insertions(+)
> 
> --- a/include/linux/inetdevice.h
> +++ b/include/linux/inetdevice.h
> @@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(s
>  #define IN_DEV_FORWARD(in_dev)		IN_DEV_CONF_GET((in_dev), FORWARDING)
>  #define IN_DEV_MFORWARD(in_dev)		IN_DEV_ANDCONF((in_dev), MC_FORWARDING)
>  #define IN_DEV_RPFILTER(in_dev)		IN_DEV_MAXCONF((in_dev), RP_FILTER)
> +#define IN_DEV_SRC_VMARK(in_dev)    	IN_DEV_ORCONF((in_dev), SRC_VMARK)
>  #define IN_DEV_SOURCE_ROUTE(in_dev)	IN_DEV_ANDCONF((in_dev), \
>  						       ACCEPT_SOURCE_ROUTE)
>  #define IN_DEV_BOOTP_RELAY(in_dev)	IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -490,6 +490,7 @@ enum
>  	NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
>  	NET_IPV4_CONF_ARP_ACCEPT=21,
>  	NET_IPV4_CONF_ARP_NOTIFY=22,
> +	NET_IPV4_CONF_SRC_VMARK=24,
>  	__NET_IPV4_CONF_MAX
>  };
>  
> --- a/net/ipv4/devinet.c
> +++ b/net/ipv4/devinet.c
> @@ -1450,6 +1450,7 @@ static struct devinet_sysctl_table {
>  		DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
>  		DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
>  					"accept_source_route"),
> +		DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"),
>  		DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
>  		DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
>  		DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
> --- a/net/ipv4/fib_frontend.c
> +++ b/net/ipv4/fib_frontend.c
> @@ -251,6 +251,8 @@ int fib_validate_source(__be32 src, __be
>  	if (in_dev) {
>  		no_addr = in_dev->ifa_list == NULL;
>  		rpf = IN_DEV_RPFILTER(in_dev);
> +		if (mark && !IN_DEV_SRC_VMARK(in_dev))
> +			fl.mark = 0;
>  	}
>  	rcu_read_unlock();
>  

Download attachment "config-2.6.32-7.slh.3-sidux-686.gz" of type "application/x-gzip" (26919 bytes)

Download attachment "config-2.6.32-7.slh.3-sidux-amd64.gz" of type "application/x-gzip" (25897 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ