| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <727ed7f4-c29e-05e1-2d8d-2f1dcdd06002@nvidia.com>
Date: Mon, 31 Jan 2022 15:38:12 +0200
From: Maxim Mikityanskiy <maximmi@...dia.com>
To: Lorenz Bauer <lmb@...udflare.com>
CC: bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
"Daniel Borkmann" <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Networking <netdev@...r.kernel.org>,
Tariq Toukan <tariqt@...dia.com>,
"Martin KaFai Lau" <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Petar Penkov <ppenkov@...gle.com>,
Eric Dumazet <edumazet@...gle.com>
Subject: Re: [PATCH bpf v2 2/4] bpf: Support dual-stack sockets in
bpf_tcp_check_syncookie
On 2022-01-26 11:49, Lorenz Bauer wrote:
> On Mon, 24 Jan 2022 at 15:13, Maxim Mikityanskiy <maximmi@...dia.com> wrote:
>>
>> bpf_tcp_gen_syncookie looks at the IP version in the IP header and
>> validates the address family of the socket. It supports IPv4 packets in
>> AF_INET6 dual-stack sockets.
>>
>> On the other hand, bpf_tcp_check_syncookie looks only at the address
>> family of the socket, ignoring the real IP version in headers, and
>> validates only the packet size. This implementation has some drawbacks:
>>
>> 1. Packets are not validated properly, allowing a BPF program to trick
>> bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4
>> socket.
>>
>> 2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end
>> up receiving a SYNACK with the cookie, but the following ACK gets
>> dropped.
>>
>> This patch fixes these issues by changing the checks in
>> bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP
>> version from the header is taken into account, and it is validated
>> properly with address family.
>>
>> Fixes: 399040847084 ("bpf: add helper to check for a valid SYN cookie")
>> Signed-off-by: Maxim Mikityanskiy <maximmi@...dia.com>
>> Reviewed-by: Tariq Toukan <tariqt@...dia.com>
>> ---
>> net/core/filter.c | 17 +++++++++++++----
>> 1 file changed, 13 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 05efa691b796..780e635fb52a 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -6774,24 +6774,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len
>> if (!th->ack || th->rst || th->syn)
>> return -ENOENT;
>>
>> + if (unlikely(iph_len < sizeof(struct iphdr)))
>> + return -EINVAL;
>> +
>> if (tcp_synq_no_recent_overflow(sk))
>> return -ENOENT;
>>
>> cookie = ntohl(th->ack_seq) - 1;
>>
>> - switch (sk->sk_family) {
>> - case AF_INET:
>> - if (unlikely(iph_len < sizeof(struct iphdr)))
>> + /* Both struct iphdr and struct ipv6hdr have the version field at the
>> + * same offset so we can cast to the shorter header (struct iphdr).
>> + */
>> + switch (((struct iphdr *)iph)->version) {
>> + case 4:
>> + if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk))
>> return -EINVAL;
>
> Wouldn't this allow an arbitrary value for sk->sk_family, since there
> is no further check that sk_family is AF_INET?
It relies on the assumption that sk_family is either AF_INET or
AF_INET6, when sk_protocol is IPPROTO_TCP (checked above). The same
assumption is used in bpf_tcp_gen_syncookie. Do you think there are
cases when it doesn't hold, and we must verify sk_family? If yes, then
bpf_tcp_gen_syncookie should also be fixed.
Powered by blists - more mailing lists