| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Jul 2021 15:05:51 +0100
From: Vadim Fedorenko <vfedorenko@...ek.ru>
To: Paolo Abeni <pabeni@...hat.com>, David Ahern <dsahern@...nel.org>,
Willem de Bruijn <willemb@...gle.com>,
Xin Long <lucien.xin@...il.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net 2/3] udp: check encap socket in __udp_lib_err
On 12.07.2021 14:37, Paolo Abeni wrote:
> On Mon, 2021-07-12 at 13:45 +0100, Vadim Fedorenko wrote:
>>
>>> After this patch, the above chunk will not clear 'sk' for packets
>>> targeting ESP in UDP sockets, but AFAICS we will still enter the
>>> following conditional, preserving the current behavior - no ICMP
>>> processing.
>>
>> We will not enter following conditional for ESP in UDP case because
>> there is no more check for encap_type or encap_enabled.
>
> I see. You have a bug in the ipv6 code-path. With your patch applied:
>
> ---
> sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source,
> inet6_iif(skb), inet6_sdif(skb), udptable, NULL);
> if (sk && udp_sk(sk)->encap_enabled) {
> //...
> }
>
> if (!sk || udp_sk(sk)->encap_enabled) {
> // can still enter here...
> ---
>
Oh, my bad, thanks for catching this!
>> I maybe missing something but d26796ae5894 doesn't actually explain
>> which particular situation should be avoided by this additional check
>> and no tests were added to simply reproduce the problem. If you can
>> explain it a bit more it would greatly help me to improve the fix.
>
> Xin knows better, but AFAICS it used to cover the situation you
> explicitly tests in patch 3/3 - incoming packet with src-port == dst-
> port == tunnel port - for e.g. vxlan tunnels.
>
Ok, so my assumption was like yours, that's good.
>>> Why can't you use something alike the following instead?
>>>
>>> ---
>>> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
>>> index c0f9f3260051..96a3b640e4da 100644
>>> --- a/net/ipv4/udp.c
>>> +++ b/net/ipv4/udp.c
>>> @@ -707,7 +707,7 @@ int __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
>>> sk = __udp4_lib_lookup(net, iph->daddr, uh->dest,
>>> iph->saddr, uh->source, skb->dev->ifindex,
>>> inet_sdif(skb), udptable, NULL);
>>> - if (!sk || udp_sk(sk)->encap_type) {
>>> + if (!sk || READ_ONCE(udp_sk(sk)->encap_err_lookup)) {
>>> /* No socket for error: try tunnels before discarding */
>>> sk = ERR_PTR(-ENOENT);
>>> if (static_branch_unlikely(&udp_encap_needed_key)) {
>>>
>>> ---
>
> Could you please have a look at the above ?
>
Sure. The main problem I see here is that udp4_lib_lookup in udp_lib_err_encap
could return different socket because of different source and destination port
and in this case we will never check for correctness of originally found socket,
i.e. encap_err_lookup will never be called and the ICMP notification will never
be applied to that socket even if it passes checks.
My point is that it's simplier to explicitly check socket that was found than
rely on the result of udp4_lib_lookup with different inputs and leave the case
of no socket as it was before d26796ae5894.
If it's ok, I will unify the code for check as Willem suggested and resend v2.
Powered by blists - more mailing lists