| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <73cccd5e-de7d-404b-910d-c6a799c28c57@linux.dev>
Date: Tue, 6 May 2025 12:17:13 -0700
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Paul Chaignon <paul.chaignon@...il.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>,
Jakub Kicinski <kuba@...nel.org>,
Network Development <netdev@...r.kernel.org>, bpf@...r.kernel.org
Subject: Re: [PATCH bpf v2 1/2] bpf: Scrub packet on bpf_redirect_peer
On 5/5/25 12:58 PM, Paul Chaignon wrote:
> When bpf_redirect_peer is used to redirect packets to a device in
> another network namespace, the skb isn't scrubbed. That can lead skb
> information from one namespace to be "misused" in another namespace.
>
> As one example, this is causing Cilium to drop traffic when using
> bpf_redirect_peer to redirect packets that just went through IPsec
> decryption to a container namespace. The following pwru trace shows (1)
> the packet path from the host's XFRM layer to the container's XFRM
> layer where it's dropped and (2) the number of active skb extensions at
> each function.
>
> NETNS MARK IFACE TUPLE FUNC
> 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb
> .active_extensions = (__u8)2,
> 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb
> .active_extensions = (__u8)2,
> 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive
> .active_extensions = (__u8)2,
> [...]
> 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect
> .active_extensions = (__u8)2,
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv
> .active_extensions = (__u8)2,
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core
> .active_extensions = (__u8)2,
> [...]
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb
> .active_extensions = (__u8)2,
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check
> .active_extensions = (__u8)2,
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session
> .active_extensions = (__u8)2,
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session
> .active_extensions = (__u8)2,
> 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)
> .active_extensions = (__u8)2,
>
> In this case, there are no XFRM policies in the container's network
> namespace so the drop is unexpected. When we decrypt the IPsec packet,
> the XFRM state used for decryption is set in the skb extensions. This
> information is preserved across the netns switch. When we reach the
> XFRM policy check in the container's netns, __xfrm_policy_check drops
> the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM
> policy can't be found that matches the (host-side) XFRM state used for
> decryption.
>
> This patch fixes this by scrubbing the packet when using
> bpf_redirect_peer, as is done on typical netns switches via veth
> devices except skb->mark and skb->tstamp are not zeroed.
>
> Fixes: 9aa1206e8f482 ("bpf: Add redirect_peer helper")
> Signed-off-by: Paul Chaignon <paul.chaignon@...il.com>
Acked-by: Martin KaFai Lau <martin.lau@...nel.org>
Powered by blists - more mailing lists