lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <42724a32-c206-bc63-9674-c85eb1af1b1f@dell.com>
Date:   Tue, 12 Feb 2019 19:53:11 +0000
From:   <Farrell.Woods@...l.com>
To:     <netdev@...r.kernel.org>
Subject: patch for ip6_input.c

Folks,

I'm proposing the following patch for ip6_input.c:

diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index c7ed2b6..5aba6a6 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -409,12 +409,10 @@ void ip6_protocol_deliver_rcu(struct net *net, 
struct sk_buff *skb, int nexthdr,
                 }
         } else {
                 if (!raw) {
-                       if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
-                               __IP6_INC_STATS(net, idev,
- IPSTATS_MIB_INUNKNOWNPROTOS);
-                               icmpv6_send(skb, ICMPV6_PARAMPROB,
-                                           ICMPV6_UNK_NEXTHDR, nhoff);
-                       }
+                       __IP6_INC_STATS(net, idev,
+                               IPSTATS_MIB_INUNKNOWNPROTOS);
+                       icmpv6_send(skb, ICMPV6_PARAMPROB,
+                               ICMPV6_UNK_NEXTHDR, nhoff);
                         kfree_skb(skb);
                 } else {
                         __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS);

The patch fixes an IPv6 conformance test failure (v6LC_1_2_03a in the 
UNH INTACT suite) that occurs specifically when IPsec is in use.  The 
test iterates through the set of unassigned protocol numbers (currently, 
143 through 252) and inserts these into the next header field of a 
Destination Options header.  The expected test result is that an ICMPv6 
Parameter Problem is sent back.  But if there's a policy in place that 
requires an active SA between the Test Node and the Device Under Test 
(and none exists), the inbound packet is quietly dropped.

This behavior is inconsistent with, for example, how unknown tlv's are 
handled in extension headers (see the tlv parsing code in 
ipv6/exthdrs.c) or for instance how misaligned fragment headers are 
handled.  These will always cause a Parameter Problem message to get 
sent back to the source.

I have verified that with the policy check removed, that the unit test 
passes.

FYI here's a trace of the test in question:

No.     Time           Source Destination           Protocol Length Info
       1 0.000000000    fe80::200:10ff:fe10:1080 
fe80::260:16ff:fe97:ebf2 IPv6     71 *Unknown IP Protocol: Unassigned (143)*

Frame 1: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on 
interface 0
     Interface id: 0 (unknown)
         Interface name: unknown
     Encapsulation type: Ethernet (1)
     Arrival Time: Feb  6, 2019 13:27:29.949609000 EST
     [Time shift for this packet: 0.000000000 seconds]
     Epoch Time: 1549477649.949609000 seconds
     [Time delta from previous captured frame: 0.000000000 seconds]
     [Time delta from previous displayed frame: 0.000000000 seconds]
     [Time since reference or first frame: 0.000000000 seconds]
     Frame Number: 1
     Frame Length: 71 bytes (568 bits)
     Capture Length: 71 bytes (568 bits)
     [Frame is marked: False]
     [Frame is ignored: False]
     [Protocols in frame: eth:ethertype:ipv6:ipv6.dstopts:data]
Ethernet II, Src: Sytek_10:10:80 (00:00:10:10:10:80), Dst: 
Clariion_97:eb:f2 (00:60:16:97:eb:f2)
     Destination: Clariion_97:eb:f2 (00:60:16:97:eb:f2)
         Address: Clariion_97:eb:f2 (00:60:16:97:eb:f2)
         .... ..0. .... .... .... .... = LG bit: Globally unique address 
(factory default)
         .... ...0 .... .... .... .... = IG bit: Individual address 
(unicast)
     Source: Sytek_10:10:80 (00:00:10:10:10:80)
         Address: Sytek_10:10:80 (00:00:10:10:10:80)
         .... ..0. .... .... .... .... = LG bit: Globally unique address 
(factory default)
         .... ...0 .... .... .... .... = IG bit: Individual address 
(unicast)
     Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::200:10ff:fe10:1080, Dst: 
fe80::260:16ff:fe97:ebf2
     0110 .... = Version: 6
     .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 
(DSCP: CS0, ECN: Not-ECT)
         .... 0000 00.. .... .... .... .... .... = Differentiated 
Services Codepoint: Default (0)
         .... .... ..00 .... .... .... .... .... = Explicit Congestion 
Notification: Not ECN-Capable Transport (0)
     .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
     Payload Length: 17
     Next Header: Destination Options for IPv6 (60)
     Hop Limit: 255
     Source: fe80::200:10ff:fe10:1080
     Destination: fe80::260:16ff:fe97:ebf2
     [Source SA MAC: Sytek_10:10:80 (00:00:10:10:10:80)]
     [Destination SA MAC: Clariion_97:eb:f2 (00:60:16:97:eb:f2)]
     Destination Options for IPv6
*Next Header: Unassigned (143**)*
         Length: 0
         [Length: 8 bytes]
         PadN
             Type: PadN (0x01)
                 00.. .... = Action: Skip and continue (0)
                 ..0. .... = May Change: No
                 ...0 0001 = Low-Order Bits: 0x01
             Length: 4
             PadN: 00000000
Data (9 bytes)

0000  80 00 5c eb 00 00 00 00 00 ..\......
     Data: 80005ceb0000000000
     [Length: 9]

I am working on a product that will ship with IPsec enabled and with a 
set of traffic selectors in place that will exclude most inbound 
traffic.  Since this is how it will ship to the customer, we must leave 
IPsec enabled when this goes to UNH for USGv6 certification.


Thanks for your consideration.

     -- Farrell

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ