lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220927002544.3381205-1-kafai@fb.com> Date: Mon, 26 Sep 2022 17:25:44 -0700 From: Martin KaFai Lau <kafai@...com> To: <netdev@...r.kernel.org> CC: David Miller <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, <kernel-team@...com>, Paolo Abeni <pabeni@...hat.com>, Joanne Koong <joannelkoong@...il.com>, Alexander Potapenko <glider@...gle.com>, Martin KaFai Lau <martin.lau@...nel.org> Subject: [PATCH net-next] net: Fix incorrect address comparison when searching for a bind2 bucket From: Martin KaFai Lau <martin.lau@...nel.org> The v6_rcv_saddr and rcv_saddr are inside a union in the 'struct inet_bind2_bucket'. When searching a bucket by following the bhash2 hashtable chain, eg. inet_bind2_bucket_match, it is only using the sk->sk_family and there is no way to check if the inet_bind2_bucket has a v6 or v4 address in the union. This leads to an uninit-value KMSAN report in [0] and also potentially incorrect matches. This patch fixes it by adding a family member to the inet_bind2_bucket and then tests 'sk->sk_family != tb->family' before matching the sk's address to the tb's address. Cc: Joanne Koong <joannelkoong@...il.com> Cc: Alexander Potapenko <glider@...gle.com> Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address") Signed-off-by: Martin KaFai Lau <martin.lau@...nel.org> --- include/net/inet_hashtables.h | 3 +++ net/ipv4/inet_hashtables.c | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h index 9121ccab1fa1..3af1e927247d 100644 --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -95,6 +95,9 @@ struct inet_bind2_bucket { possible_net_t ib_net; int l3mdev; unsigned short port; +#if IS_ENABLED(CONFIG_IPV6) + unsigned short family; +#endif union { #if IS_ENABLED(CONFIG_IPV6) struct in6_addr v6_rcv_saddr; diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 74e64aad5114..49db8c597eea 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -109,6 +109,7 @@ static void inet_bind2_bucket_init(struct inet_bind2_bucket *tb, tb->l3mdev = l3mdev; tb->port = port; #if IS_ENABLED(CONFIG_IPV6) + tb->family = sk->sk_family; if (sk->sk_family == AF_INET6) tb->v6_rcv_saddr = sk->sk_v6_rcv_saddr; else @@ -146,6 +147,9 @@ static bool inet_bind2_bucket_addr_match(const struct inet_bind2_bucket *tb2, const struct sock *sk) { #if IS_ENABLED(CONFIG_IPV6) + if (sk->sk_family != tb2->family) + return false; + if (sk->sk_family == AF_INET6) return ipv6_addr_equal(&tb2->v6_rcv_saddr, &sk->sk_v6_rcv_saddr); @@ -791,6 +795,9 @@ static bool inet_bind2_bucket_match(const struct inet_bind2_bucket *tb, int l3mdev, const struct sock *sk) { #if IS_ENABLED(CONFIG_IPV6) + if (sk->sk_family != tb->family) + return false; + if (sk->sk_family == AF_INET6) return net_eq(ib2_net(tb), net) && tb->port == port && tb->l3mdev == l3mdev && @@ -807,6 +814,9 @@ bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const #if IS_ENABLED(CONFIG_IPV6) struct in6_addr addr_any = {}; + if (sk->sk_family != tb->family) + return false; + if (sk->sk_family == AF_INET6) return net_eq(ib2_net(tb), net) && tb->port == port && tb->l3mdev == l3mdev && -- 2.30.2
Powered by blists - more mailing lists