lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 12 Feb 2019 19:58:07 -0700
From:   David Ahern <dsahern@...il.com>
To:     Peter Oskolkov <posk@...gle.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org
Cc:     Peter Oskolkov <posk@...k.io>,
        Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH bpf-next v10 5/7] bpf: add handling of BPF_LWT_REROUTE to
 lwt_bpf.c

On 2/12/19 10:32 AM, Peter Oskolkov wrote:
> @@ -148,6 +174,87 @@ static int xmit_check_hhlen(struct sk_buff *skb)
>  	return 0;
>  }
>  
> +static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
> +{
> +	struct net_device *l3mdev = l3mdev_master_dev_rcu(skb_dst(skb)->dev);
> +	int oif = l3mdev ? l3mdev->ifindex : 0;
> +	struct dst_entry *dst = NULL;
> +	struct sock *sk;
> +	struct net *net;
> +	bool ipv4;
> +	int err;
> +
> +	if (skb->protocol == htons(ETH_P_IP))
> +		ipv4 = true;
> +	else if (skb->protocol == htons(ETH_P_IPV6))
> +		ipv4 = false;
> +	else
> +		return -EAFNOSUPPORT;
> +
> +	sk = sk_to_full_sk(skb->sk);
> +	if (sk) {
> +		if (sk->sk_bound_dev_if)
> +			oif = sk->sk_bound_dev_if;
> +		net = sock_net(sk);
> +	} else {
> +		net = dev_net(skb_dst(skb)->dev);
> +	}
> +
> +	if (ipv4) {
> +		struct iphdr *iph = ip_hdr(skb);
> +		struct flowi4 fl4 = {};
> +		struct rtable *rt;
> +
> +		fl4.flowi4_oif = oif;
> +		fl4.flowi4_mark = skb->mark;
> +		fl4.flowi4_uid = sock_net_uid(net, sk);
> +		fl4.flowi4_tos = RT_TOS(iph->tos);
> +		fl4.flowi4_flags = FLOWI_FLAG_ANYSRC;
> +		fl4.flowi4_proto = iph->protocol;
> +		fl4.daddr = iph->daddr;
> +		fl4.saddr = iph->saddr;
> +
> +		rt = ip_route_output_key(net, &fl4);
> +		if (IS_ERR(rt) || rt->dst.error)
> +			return -EINVAL;

I think you have a dst leak here if rt is valid but the lookup is a
reject (e.g., unreachable or blackhole).

> +		dst = &rt->dst;
> +	} else {
> +		struct ipv6hdr *iph6 = ipv6_hdr(skb);
> +		struct flowi6 fl6 = {};
> +
> +		fl6.flowi6_oif = oif;
> +		fl6.flowi6_mark = skb->mark;
> +		fl6.flowi6_uid = sock_net_uid(net, sk);
> +		fl6.flowlabel = ip6_flowinfo(iph6);
> +		fl6.flowi6_proto = iph6->nexthdr;
> +		fl6.daddr = iph6->daddr;
> +		fl6.saddr = iph6->saddr;
> +
> +		err = ipv6_stub->ipv6_dst_lookup(net, skb->sk, &dst, &fl6);
> +		if (err || IS_ERR(dst) || dst->error)
> +			return -EINVAL;

same here.

You could check this by adding a route with unreachable as the target in
your tests. Test cleanup and namespace teardown will tell you pretty quick.

Powered by blists - more mailing lists