net: add real socket cookies

A long standing problem in netlink socket dumps is the use
of kernel socket addresses as cookies.

1) It is a security concern.

2) Sockets can be reused quite quickly, so there is
   no guarantee a cookie is used once and identify
   a flow.

3) request sock, establish sock, and timewait socks
   for a given flow have different cookies.

Part of our effort to bring better TCP statistics requires
to switch to a different allocator.

In this patch, I chose to use a per network namespace 64bit generator,
and to use it only in the case a socket needs to be dumped to netlink.
(This might be refined later if needed)

Note that I tried to carry cookies from request sock, to establish sock,
then timewait sockets.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Salo <salo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 9 insertions, 5 deletions

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index ac3bfb458afd..29317ff4a007 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -221,12 +221,13 @@ static int inet_csk_diag_fill(struct sock *sk,
                                  user_ns, portid, seq, nlmsg_flags, unlh);
 }
 
-static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
+static int inet_twsk_diag_fill(struct sock *sk,
                                struct sk_buff *skb,
                                const struct inet_diag_req_v2 *req,
                                u32 portid, u32 seq, u16 nlmsg_flags,
                                const struct nlmsghdr *unlh)
 {
+        struct inet_timewait_sock *tw = inet_twsk(sk);
         struct inet_diag_msg *r;
         struct nlmsghdr *nlh;
         s32 tmo;
@@ -247,7 +248,7 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
         r->idiag_retrans      = 0;
 
         r->id.idiag_if        = tw->tw_bound_dev_if;
-        sock_diag_save_cookie(tw, r->id.idiag_cookie);
+        sock_diag_save_cookie(sk, r->id.idiag_cookie);
 
         r->id.idiag_sport     = tw->tw_sport;
         r->id.idiag_dport     = tw->tw_dport;
@@ -283,7 +284,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
                         const struct nlmsghdr *unlh)
 {
         if (sk->sk_state == TCP_TIME_WAIT)
-                return inet_twsk_diag_fill(inet_twsk(sk), skb, r, portid, seq,
+                return inet_twsk_diag_fill(sk, skb, r, portid, seq,
                                            nlmsg_flags, unlh);
 
         return inet_csk_diag_fill(sk, skb, r, user_ns, portid, seq,
@@ -675,7 +676,7 @@ static int inet_twsk_diag_dump(struct sock *sk,
         if (!inet_diag_bc_sk(bc, sk))
                 return 0;
 
-        return inet_twsk_diag_fill(inet_twsk(sk), skb, r,
+        return inet_twsk_diag_fill(sk, skb, r,
                                    NETLINK_CB(cb->skb).portid,
                                    cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh);
 }
@@ -734,7 +735,10 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
         r->idiag_retrans = req->num_retrans;
 
         r->id.idiag_if = sk->sk_bound_dev_if;
-        sock_diag_save_cookie(req, r->id.idiag_cookie);
+
+        BUILD_BUG_ON(offsetof(struct inet_request_sock, ir_cookie) !=
+                     offsetof(struct sock, sk_cookie));
+        sock_diag_save_cookie((struct sock *)ireq, r->id.idiag_cookie);
 
         tmo = req->expires - jiffies;
         if (tmo < 0)