| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <81001aca6c025cb4f3dff523945f78142899eecb.camel@redhat.com>
Date: Mon, 12 Jul 2021 16:09:58 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Vadim Fedorenko <vfedorenko@...ek.ru>,
David Ahern <dsahern@...nel.org>,
Willem de Bruijn <willemb@...gle.com>,
Xin Long <lucien.xin@...il.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net 2/3] udp: check encap socket in __udp_lib_err
On Mon, 2021-07-12 at 15:05 +0100, Vadim Fedorenko wrote:
> On 12.07.2021 14:37, Paolo Abeni wrote:
> > On Mon, 2021-07-12 at 13:45 +0100, Vadim Fedorenko wrote:
> > > > After this patch, the above chunk will not clear 'sk' for packets
> > > > targeting ESP in UDP sockets, but AFAICS we will still enter the
> > > > following conditional, preserving the current behavior - no ICMP
> > > > processing.
> > >
> > > We will not enter following conditional for ESP in UDP case because
> > > there is no more check for encap_type or encap_enabled.
> >
> > I see. You have a bug in the ipv6 code-path. With your patch applied:
> >
> > ---
> > sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source,
> > inet6_iif(skb), inet6_sdif(skb), udptable, NULL);
> > if (sk && udp_sk(sk)->encap_enabled) {
> > //...
> > }
> >
> > if (!sk || udp_sk(sk)->encap_enabled) {
> > // can still enter here...
> > ---
> >
>
> Oh, my bad, thanks for catching this!
>
> > > I maybe missing something but d26796ae5894 doesn't actually explain
> > > which particular situation should be avoided by this additional check
> > > and no tests were added to simply reproduce the problem. If you can
> > > explain it a bit more it would greatly help me to improve the fix.
> >
> > Xin knows better, but AFAICS it used to cover the situation you
> > explicitly tests in patch 3/3 - incoming packet with src-port == dst-
> > port == tunnel port - for e.g. vxlan tunnels.
> >
>
> Ok, so my assumption was like yours, that's good.
>
> > > > Why can't you use something alike the following instead?
> > > >
> > > > ---
> > > > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > > > index c0f9f3260051..96a3b640e4da 100644
> > > > --- a/net/ipv4/udp.c
> > > > +++ b/net/ipv4/udp.c
> > > > @@ -707,7 +707,7 @@ int __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
> > > > sk = __udp4_lib_lookup(net, iph->daddr, uh->dest,
> > > > iph->saddr, uh->source, skb->dev->ifindex,
> > > > inet_sdif(skb), udptable, NULL);
> > > > - if (!sk || udp_sk(sk)->encap_type) {
> > > > + if (!sk || READ_ONCE(udp_sk(sk)->encap_err_lookup)) {
> > > > /* No socket for error: try tunnels before discarding */
> > > > sk = ERR_PTR(-ENOENT);
> > > > if (static_branch_unlikely(&udp_encap_needed_key)) {
> > > >
> > > > ---
> >
> > Could you please have a look at the above ?
> >
> Sure. The main problem I see here is that udp4_lib_lookup in udp_lib_err_encap
> could return different socket because of different source and destination port
> and in this case we will never check for correctness of originally found socket,
> i.e. encap_err_lookup will never be called and the ICMP notification will never
> be applied to that socket even if it passes checks.
> My point is that it's simplier to explicitly check socket that was found than
> rely on the result of udp4_lib_lookup with different inputs and leave the case
> of no socket as it was before d26796ae5894.
>
> If it's ok, I will unify the code for check as Willem suggested and resend v2.
If the final code is small enough, please go ahead with that.
Thanks!
Paolo
Powered by blists - more mailing lists