diff options
| author | hannes@stressinduktion.org <hannes@stressinduktion.org> | 2015-04-01 11:07:44 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-04-06 16:12:49 -0400 |
| commit | f60e5990d9c1424af9dbca60a23ba2a1c7c1ce90 (patch) | |
| tree | bba5ed057073e42c0113473e1cdbff0bc46ab875 | |
| parent | 576b7cd2f6ff1e90b3fc0a000d2fe74f8a50a4bb (diff) | |
ipv6: protect skb->sk accesses from recursive dereference inside the stack
We should not consult skb->sk for output decisions in xmit recursion
levels > 0 in the stack. Otherwise local socket settings could influence
the result of e.g. tunnel encapsulation process.
ipv6 does not conform with this in three places:
1) ip6_fragment: we do consult ipv6_npinfo for frag_size
2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
loop the packet back to the local socket
3) ip6_skb_dst_mtu could query the settings from the user socket and
force a wrong MTU
Furthermore:
In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
PF_PACKET socket ontop of an IPv6-backed vxlan device.
Reuse xmit_recursion as we are currently only interested in protecting
tunnel devices.
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/linux/netdevice.h | 6 | ||||
| -rw-r--r-- | include/net/ip.h | 16 | ||||
| -rw-r--r-- | include/net/ip6_route.h | 3 | ||||
| -rw-r--r-- | include/net/sock.h | 2 | ||||
| -rw-r--r-- | net/core/dev.c | 4 | ||||
| -rw-r--r-- | net/core/sock.c | 19 | ||||
| -rw-r--r-- | net/ipv6/ip6_output.c | 3 |
7 files changed, 34 insertions, 19 deletions
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index dcf6ec27739b..278738873703 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h | |||
| @@ -2185,6 +2185,12 @@ void netdev_freemem(struct net_device *dev); | |||
| 2185 | void synchronize_net(void); | 2185 | void synchronize_net(void); |
| 2186 | int init_dummy_netdev(struct net_device *dev); | 2186 | int init_dummy_netdev(struct net_device *dev); |
| 2187 | 2187 | ||
| 2188 | DECLARE_PER_CPU(int, xmit_recursion); | ||
| 2189 | static inline int dev_recursion_level(void) | ||
| 2190 | { | ||
| 2191 | return this_cpu_read(xmit_recursion); | ||
| 2192 | } | ||
| 2193 | |||
| 2188 | struct net_device *dev_get_by_index(struct net *net, int ifindex); | 2194 | struct net_device *dev_get_by_index(struct net *net, int ifindex); |
| 2189 | struct net_device *__dev_get_by_index(struct net *net, int ifindex); | 2195 | struct net_device *__dev_get_by_index(struct net *net, int ifindex); |
| 2190 | struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex); | 2196 | struct net_device *dev_get_by_index_rcu(struct net *net, int ifindex); |
diff --git a/include/net/ip.h b/include/net/ip.h index 025c61c0dffb..6cc1eafb153a 100644 --- a/include/net/ip.h +++ b/include/net/ip.h | |||
| @@ -453,22 +453,6 @@ static __inline__ void inet_reset_saddr(struct sock *sk) | |||
| 453 | 453 | ||
| 454 | #endif | 454 | #endif |
| 455 | 455 | ||
| 456 | static inline int sk_mc_loop(struct sock *sk) | ||
| 457 | { | ||
| 458 | if (!sk) | ||
| 459 | return 1; | ||
| 460 | switch (sk->sk_family) { | ||
| 461 | case AF_INET: | ||
| 462 | return inet_sk(sk)->mc_loop; | ||
| 463 | #if IS_ENABLED(CONFIG_IPV6) | ||
| 464 | case AF_INET6: | ||
| 465 | return inet6_sk(sk)->mc_loop; | ||
| 466 | #endif | ||
| 467 | } | ||
| 468 | WARN_ON(1); | ||
| 469 | return 1; | ||
| 470 | } | ||
| 471 | |||
| 472 | bool ip_call_ra_chain(struct sk_buff *skb); | 456 | bool ip_call_ra_chain(struct sk_buff *skb); |
| 473 | 457 | ||
| 474 | /* | 458 | /* |
diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h index 1d09b46c1e48..eda131d179d9 100644 --- a/include/net/ip6_route.h +++ b/include/net/ip6_route.h | |||
| @@ -174,7 +174,8 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)); | |||
| 174 | 174 | ||
| 175 | static inline int ip6_skb_dst_mtu(struct sk_buff *skb) | 175 | static inline int ip6_skb_dst_mtu(struct sk_buff *skb) |
| 176 | { | 176 | { |
| 177 | struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL; | 177 | struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ? |
| 178 | inet6_sk(skb->sk) : NULL; | ||
| 178 | 179 | ||
| 179 | return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ? | 180 | return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ? |
| 180 | skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); | 181 | skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); |
diff --git a/include/net/sock.h b/include/net/sock.h index ab186b1d31ff..e4079c28e6b8 100644 --- a/include/net/sock.h +++ b/include/net/sock.h | |||
| @@ -1762,6 +1762,8 @@ struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie); | |||
| 1762 | 1762 | ||
| 1763 | struct dst_entry *sk_dst_check(struct sock *sk, u32 cookie); | 1763 | struct dst_entry *sk_dst_check(struct sock *sk, u32 cookie); |
| 1764 | 1764 | ||
| 1765 | bool sk_mc_loop(struct sock *sk); | ||
| 1766 | |||
| 1765 | static inline bool sk_can_gso(const struct sock *sk) | 1767 | static inline bool sk_can_gso(const struct sock *sk) |
| 1766 | { | 1768 | { |
| 1767 | return net_gso_ok(sk->sk_route_caps, sk->sk_gso_type); | 1769 | return net_gso_ok(sk->sk_route_caps, sk->sk_gso_type); |
diff --git a/net/core/dev.c b/net/core/dev.c index 962ee9d71964..45109b70664e 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
| @@ -2848,7 +2848,9 @@ static void skb_update_prio(struct sk_buff *skb) | |||
| 2848 | #define skb_update_prio(skb) | 2848 | #define skb_update_prio(skb) |
| 2849 | #endif | 2849 | #endif |
| 2850 | 2850 | ||
| 2851 | static DEFINE_PER_CPU(int, xmit_recursion); | 2851 | DEFINE_PER_CPU(int, xmit_recursion); |
| 2852 | EXPORT_SYMBOL(xmit_recursion); | ||
| 2853 | |||
| 2852 | #define RECURSION_LIMIT 10 | 2854 | #define RECURSION_LIMIT 10 |
| 2853 | 2855 | ||
| 2854 | /** | 2856 | /** |
diff --git a/net/core/sock.c b/net/core/sock.c index 78e89eb7eb70..71e3e5f1eaa0 100644 --- a/net/core/sock.c +++ b/net/core/sock.c | |||
| @@ -653,6 +653,25 @@ static inline void sock_valbool_flag(struct sock *sk, int bit, int valbool) | |||
| 653 | sock_reset_flag(sk, bit); | 653 | sock_reset_flag(sk, bit); |
| 654 | } | 654 | } |
| 655 | 655 | ||
| 656 | bool sk_mc_loop(struct sock *sk) | ||
| 657 | { | ||
| 658 | if (dev_recursion_level()) | ||
| 659 | return false; | ||
| 660 | if (!sk) | ||
| 661 | return true; | ||
| 662 | switch (sk->sk_family) { | ||
| 663 | case AF_INET: | ||
| 664 | return inet_sk(sk)->mc_loop; | ||
| 665 | #if IS_ENABLED(CONFIG_IPV6) | ||
| 666 | case AF_INET6: | ||
| 667 | return inet6_sk(sk)->mc_loop; | ||
| 668 | #endif | ||
| 669 | } | ||
| 670 | WARN_ON(1); | ||
| 671 | return true; | ||
| 672 | } | ||
| 673 | EXPORT_SYMBOL(sk_mc_loop); | ||
| 674 | |||
| 656 | /* | 675 | /* |
| 657 | * This is meant for all protocols to use and covers goings on | 676 | * This is meant for all protocols to use and covers goings on |
| 658 | * at the socket level. Everything here is generic. | 677 | * at the socket level. Everything here is generic. |
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 7e80b61b51ff..36cf0ab685a0 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c | |||
| @@ -542,7 +542,8 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) | |||
| 542 | { | 542 | { |
| 543 | struct sk_buff *frag; | 543 | struct sk_buff *frag; |
| 544 | struct rt6_info *rt = (struct rt6_info *)skb_dst(skb); | 544 | struct rt6_info *rt = (struct rt6_info *)skb_dst(skb); |
| 545 | struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL; | 545 | struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ? |
| 546 | inet6_sk(skb->sk) : NULL; | ||
| 546 | struct ipv6hdr *tmp_hdr; | 547 | struct ipv6hdr *tmp_hdr; |
| 547 | struct frag_hdr *fh; | 548 | struct frag_hdr *fh; |
| 548 | unsigned int mtu, hlen, left, len; | 549 | unsigned int mtu, hlen, left, len; |