lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZzK5A9DDxN-YJlsk@gondor.apana.org.au>
Date: Tue, 12 Nov 2024 10:10:11 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Dong Chenchen <dongchenchen2@...wei.com>
Cc: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com,
	pabeni@...hat.com, horms@...nel.org, netdev@...r.kernel.org,
	yuehaibing@...wei.com, zhangchangzhong@...wei.com
Subject: Re: [PATCH net] net: Fix icmp host relookup triggering ip_rt_bug

On Mon, Nov 11, 2024 at 08:39:15PM +0800, Dong Chenchen wrote:
> arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:
> 
> WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20
> Modules linked in:
> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> RIP: 0010:ip_rt_bug+0x14/0x20
> Call Trace:
>  <IRQ>
>  ip_send_skb+0x14/0x40
>  __icmp_send+0x42d/0x6a0
>  ipv4_link_failure+0xe2/0x1d0
>  arp_error_report+0x3c/0x50
>  neigh_invalidate+0x8d/0x100
>  neigh_timer_handler+0x2e1/0x330
>  call_timer_fn+0x21/0x120
>  __run_timer_base.part.0+0x1c9/0x270
>  run_timer_softirq+0x4c/0x80
>  handle_softirqs+0xac/0x280
>  irq_exit_rcu+0x62/0x80
>  sysvec_apic_timer_interrupt+0x77/0x90
> 
> The script below reproduces this scenario:
> ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \
> 	dir out priority 0 ptype main flag localok icmp
> ip l a veth1 type veth
> ip a a 192.168.141.111/24 dev veth0
> ip l s veth0 up
> ping 192.168.141.155 -c 1
> 
> icmp_route_lookup() create input routes for locally generated packets
> while xfrm relookup ICMP traffic.Then it will set input route
> (dst->out = ip_rt_bug) to skb for DESTUNREACH.
> 
> Similar to commit ed6e4ef836d4("netfilter: Fix ip_route_me_harder
> triggering ip_rt_bug"), avoid creating input routes with
> icmp_route_lookup() to fix it.
> 
> Fixes: 8b7817f3a959 ("[IPSEC]: Add ICMP host relookup support")
> Signed-off-by: Dong Chenchen <dongchenchen2@...wei.com>
> ---
>  net/ipv4/icmp.c | 35 ++++++++++-------------------------
>  1 file changed, 10 insertions(+), 25 deletions(-)
> 
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index e1384e7331d8..11ef4eb5b659 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -490,6 +490,7 @@ static struct rtable *icmp_route_lookup(struct net *net,
>  	struct dst_entry *dst, *dst2;
>  	struct rtable *rt, *rt2;
>  	struct flowi4 fl4_dec;
> +	unsigned int addr_type;
>  	int err;
>  
>  	memset(fl4, 0, sizeof(*fl4));
> @@ -528,31 +529,15 @@ static struct rtable *icmp_route_lookup(struct net *net,
>  	if (err)
>  		goto relookup_failed;
>  
> -	if (inet_addr_type_dev_table(net, route_lookup_dev,
> -				     fl4_dec.saddr) == RTN_LOCAL) {
> -		rt2 = __ip_route_output_key(net, &fl4_dec);
> -		if (IS_ERR(rt2))
> -			err = PTR_ERR(rt2);
> -	} else {

So you're saying that your packet triggered the else branch?

That I think is the bug here, not the input route lookup which
is the whole purpose of the original patch (simulate an input route
lookup in order to determine the correct policy).

AFAIK the packet that triggered the crash has a source address
of 192.168.141.111, which should definitely be local.  So why
is the RTN_LOCAL check failing?

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ