lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Wed, 7 May 2014 16:10:46 +0800
From:	nickcave <nickcave.zhang@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: _decode_session6 issue when ipsec packet re routing

Hi All:

I am working on android kk4.4 with kernel version 3.10.
I met a problem in IPSec + Ipv6 + Iptables mangle set.

I built a non default network face ccinet0 with ip address
fd00:0:20:1::1:1 and some mangle rules be added (I attached it in the
end ). Then I add an ipsec SA by ip xfrm and try send UDP packet to
fd00:0:20:1::1:4, and I found the packet be send out in plaintext.

Once I delete the mangle rule, It's work well.

So I traced the kernel.

Since the mangle table mark be set.
In ip6t_mangle_out, when the ip6t_do_table be called, the skb need
re-routing by call ip6_route_me_harder.

The result was xfrm policy could not be match in ip6_route_me_harder
and the packet send out in plaintext.

I found it's caused by
    ip6_route_me_harder—>xfrm_decode_session->_decode_session6  the
function get nexthdr from cb ,which is not correct in this case.
    u8 nexthdr = nh[IP6CB(skb)->nhoff]; //in my case, the nexthdr is
always 96,which caused the issue

And I checked the ipv4 code, ipv4 get the protocal info from skb header directly
    const struct iphdr *iph = ip_hdr(skb);

Is it a kernel issue?

Hui Zhang


root@...alhost:/ # ip6tables -S -t mangle
ip6tables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N bw_mangle_POSTROUTING
-N idletimer_mangle_POSTROUTING
-N st_mangle_EXEMPT
-N st_mangle_OUTPUT
-N st_mangle_POSTROUTING
-A OUTPUT -j st_mangle_EXEMPT
-A OUTPUT -j st_mangle_OUTPUT
-A POSTROUTING -j bw_mangle_POSTROUTING
-A POSTROUTING -j idletimer_mangle_POSTROUTING
-A POSTROUTING -j st_mangle_POSTROUTING
-A bw_mangle_POSTROUTING -m owner --socket-exists
-A st_mangle_EXEMPT -d fd00:0:20:1::1:4/128 -j MARK --set-xmark 0x1/0xffffffff
-A st_mangle_EXEMPT -d fd00:0:20:1::1:5/128 -j MARK --set-xmark 0x1/0xffffffff
-A st_mangle_OUTPUT -m mark --mark 0x1 -j RETURN
-A st_mangle_OUTPUT -m owner --uid-owner 1016 -j RETURN


root@...alhost:/ # ip -6 rule
ip -6 rule
0:      from all lookup local
99:     from all to fd00:0:20:1::1:4 lookup main
99:     from all to fd00:0:20:1::1:5 lookup main
32766:  from all lookup main
32767:  from all lookup default

255|root@...alhost:/ # ip -6 route list table all
ip -6 route list table all
default dev ccinet0  table 61  metric 1024
unreachable default dev lo  table 0  proto kernel  metric 4294967295  error -101
unreachable default dev lo  table 0  proto kernel  metric 4294967295  error -101
fd00:0:0:2::/64 dev ccinet0  proto kernel  metric 256
fd00:0:20:1::1:4 dev ccinet0  metric 1024
fd00:0:20:1::1:5 dev ccinet0  metric 1024
fe80::/64 dev ccinet0  proto kernel  metric 256
unreachable default dev lo  table 0  proto kernel  metric 4294967295  error -101
local ::1 dev lo  table local  proto none  metric 0
local fd00:0:0:2::1 dev lo  table local  proto none  metric 0
local fe80::1 dev lo  table local  proto none  metric 0
ff00::/8 dev ccinet0  table local  metric 256
unreachable default dev lo  table 0  proto kernel  metric 4294967295  error -101
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ