| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Jan 2022 09:49:42 +0000
From: Lorenz Bauer <lmb@...udflare.com>
To: Maxim Mikityanskiy <maximmi@...dia.com>
Cc: bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Networking <netdev@...r.kernel.org>,
Tariq Toukan <tariqt@...dia.com>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Petar Penkov <ppenkov@...gle.com>,
Eric Dumazet <edumazet@...gle.com>
Subject: Re: [PATCH bpf v2 2/4] bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
On Mon, 24 Jan 2022 at 15:13, Maxim Mikityanskiy <maximmi@...dia.com> wrote:
>
> bpf_tcp_gen_syncookie looks at the IP version in the IP header and
> validates the address family of the socket. It supports IPv4 packets in
> AF_INET6 dual-stack sockets.
>
> On the other hand, bpf_tcp_check_syncookie looks only at the address
> family of the socket, ignoring the real IP version in headers, and
> validates only the packet size. This implementation has some drawbacks:
>
> 1. Packets are not validated properly, allowing a BPF program to trick
> bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4
> socket.
>
> 2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end
> up receiving a SYNACK with the cookie, but the following ACK gets
> dropped.
>
> This patch fixes these issues by changing the checks in
> bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP
> version from the header is taken into account, and it is validated
> properly with address family.
>
> Fixes: 399040847084 ("bpf: add helper to check for a valid SYN cookie")
> Signed-off-by: Maxim Mikityanskiy <maximmi@...dia.com>
> Reviewed-by: Tariq Toukan <tariqt@...dia.com>
> ---
> net/core/filter.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 05efa691b796..780e635fb52a 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -6774,24 +6774,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len
> if (!th->ack || th->rst || th->syn)
> return -ENOENT;
>
> + if (unlikely(iph_len < sizeof(struct iphdr)))
> + return -EINVAL;
> +
> if (tcp_synq_no_recent_overflow(sk))
> return -ENOENT;
>
> cookie = ntohl(th->ack_seq) - 1;
>
> - switch (sk->sk_family) {
> - case AF_INET:
> - if (unlikely(iph_len < sizeof(struct iphdr)))
> + /* Both struct iphdr and struct ipv6hdr have the version field at the
> + * same offset so we can cast to the shorter header (struct iphdr).
> + */
> + switch (((struct iphdr *)iph)->version) {
> + case 4:
> + if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk))
> return -EINVAL;
Wouldn't this allow an arbitrary value for sk->sk_family, since there
is no further check that sk_family is AF_INET?
--
Lorenz Bauer | Systems Engineer
6th Floor, County Hall/The Riverside Building, SE1 7PB, UK
www.cloudflare.com
Powered by blists - more mailing lists