brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 23:36:23 +09:00
Code Issues Projects Releases Wiki Activity
4.14-1.0.x-imx
linux-brain/net/ipv4
History
Martin Willi a12795d795 esp: Skip TX bytes accounting when sending from a request socket 
[ Upstream commit 09db512411 ]

On ESP output, sk_wmem_alloc is incremented for the added padding if a
socket is associated to the skb. When replying with TCP SYNACKs over
IPsec, the associated sk is a casted request socket, only. Increasing
sk_wmem_alloc on a request socket results in a write at an arbitrary
struct offset. In the best case, this produces the following WARNING:

WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
refcount_t: addition on 0; use-after-free.
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
Hardware name: Marvell Armada 380/385 (Device Tree)
[...]
[<bf0ff354>] (esp_output_head [esp4]) from [<bf1006a4>] (esp_output+0xb8/0x180 [esp4])
[<bf1006a4>] (esp_output [esp4]) from [<c05dee64>] (xfrm_output_resume+0x558/0x664)
[<c05dee64>] (xfrm_output_resume) from [<c05d07b0>] (xfrm4_output+0x44/0xc4)
[<c05d07b0>] (xfrm4_output) from [<c05956bc>] (tcp_v4_send_synack+0xa8/0xe8)
[<c05956bc>] (tcp_v4_send_synack) from [<c0586ad8>] (tcp_conn_request+0x7f4/0x948)
[<c0586ad8>] (tcp_conn_request) from [<c058c404>] (tcp_rcv_state_process+0x2a0/0xe64)
[<c058c404>] (tcp_rcv_state_process) from [<c05958ac>] (tcp_v4_do_rcv+0xf0/0x1f4)
[<c05958ac>] (tcp_v4_do_rcv) from [<c0598a4c>] (tcp_v4_rcv+0xdb8/0xe20)
[<c0598a4c>] (tcp_v4_rcv) from [<c056eb74>] (ip_protocol_deliver_rcu+0x2c/0x2dc)
[<c056eb74>] (ip_protocol_deliver_rcu) from [<c056ee6c>] (ip_local_deliver_finish+0x48/0x54)
[<c056ee6c>] (ip_local_deliver_finish) from [<c056eecc>] (ip_local_deliver+0x54/0xec)
[<c056eecc>] (ip_local_deliver) from [<c056efac>] (ip_rcv+0x48/0xb8)
[<c056efac>] (ip_rcv) from [<c0519c2c>] (__netif_receive_skb_one_core+0x50/0x6c)
[...]

The issue triggers only when not using TCP syncookies, as for syncookies
no socket is associated.

Fixes: cac2661c53 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-03-23 14:35:14 +01:00
..
netfilter netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set 2019-01-26 09:37:05 +01:00
af_inet.c gso_segment: Reset skb->mac_len after modifying network header 2018-09-29 03:06:00 -07:00
ah4.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-06-23 14:17:31 -04:00
arp.c arp: fix arp_filter on l3slave devices 2018-04-12 12:32:22 +02:00
cipso_ipv4.c net: avoid use IPCB in cipso_v4_error 2019-03-13 14:03:09 -07:00
datagram.c net: Set sk_txhash from a random number 2015-07-29 22:44:04 -07:00
devinet.c ipv4: igmp: guard against silly MTU values 2018-01-02 20:31:06 +01:00
esp4_offload.c esp: Fix GRO when the headers not fully in the linear part of the skb. 2018-02-25 11:07:46 +01:00
esp4.c esp: Skip TX bytes accounting when sending from a request socket 2019-03-23 14:35:14 +01:00
fib_frontend.c ipv4: Return error for RTA_VIA attribute 2019-03-13 14:03:09 -07:00
fib_lookup.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fib_notifier.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fib_rules.c net: fib_rules: Implement notification logic in core 2017-08-03 15:35:59 -07:00
fib_semantics.c net: ipv4: update fnhe_pmtu when first hop's MTU changes 2018-10-18 09:16:17 +02:00
fib_trie.c net: ipv4: Fix memory leak in network namespace dismantle 2019-01-31 08:13:42 +01:00
fou.c net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
gre_demux.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
gre_offload.c net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
icmp.c net: Add __icmp_send helper. 2019-03-13 14:03:09 -07:00
igmp.c multicast: do not restore deleted record source filter mode to new one 2018-07-28 07:55:42 +02:00
inet_connection_sock.c inet: make sure to grab rcu_read_lock before using ireq->ireq_opt 2018-10-18 09:16:21 +02:00
inet_diag.c inet_diag: fix reporting cgroup classid and fallback to priority 2019-02-27 10:08:07 +01:00
inet_fragment.c ipfrag: really prevent allocation on netns exit 2019-01-31 08:13:42 +01:00
inet_hashtables.c net/tcp: Fix socket lookups with SO_BINDTODEVICE 2018-07-22 14:28:46 +02:00
inet_timewait_sock.c soreuseport: initialise timewait reuseport field 2018-05-16 10:10:24 +02:00
inetpeer.c net: ipv4: use a dedicated counter for icmp_v4 redirect packets 2019-02-23 09:06:42 +01:00
ip_forward.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip_fragment.c Fix "net: ipv4: do not handle duplicate fragments as overlapping" 2019-02-06 17:31:31 +01:00
ip_gre.c erspan: return PACKET_REJECT when the appropriate tunnel is not found 2018-09-26 08:37:58 +02:00
ip_input.c net: Fix usage of pskb_trim_rcsum 2019-01-31 08:13:41 +01:00
ip_options.c net: avoid use IPCB in cipso_v4_error 2019-03-13 14:03:09 -07:00
ip_output.c ip: hash fragments consistently 2018-07-28 07:55:41 +02:00
ip_sockglue.c ip: on queued skb use skb_header_pointer instead of pskb_may_pull 2019-01-23 08:09:47 +01:00
ip_tunnel_core.c ip_tunnel: don't force DF when MTU is locked 2018-11-23 08:19:25 +01:00
ip_tunnel.c ip_tunnel: Fix name string concatenate in __ip_tunnel_create() 2018-12-08 13:03:35 +01:00
ip_vti.c vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel 2019-03-13 14:03:11 -07:00
ipcomp.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ipconfig.c ipconfig: Correctly initialise ic_nameservers 2018-08-03 07:50:39 +02:00
ipip.c ipip: only increase err_count for some certain type icmp in ipip_err 2017-10-27 23:43:31 +09:00
ipmr.c ipv4: Fix potential Spectre v1 vulnerability 2019-01-09 17:14:42 +01:00
Kconfig ip: update policy routing config help 2017-10-12 22:57:11 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netfilter.c netfilter: use skb_to_full_sk in ip_route_me_harder 2017-02-28 12:49:36 +01:00
ping.c ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg 2018-05-19 10:20:23 +02:00
proc.c ip: discard IPv4 datagrams with overlapping segments. 2018-09-19 22:43:47 +02:00
protocol.c net: Add sysctl to toggle early demux for tcp and udp 2017-03-24 13:17:07 -07:00
raw_diag.c net: ipv6: add second dif to raw socket lookups 2017-08-07 11:39:22 -07:00
raw.c net: ipv4: fix for a race condition in raw_sendmsg 2018-01-02 20:31:08 +01:00
route.c route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race 2019-03-19 13:13:23 +01:00
syncookies.c tcp: handle inet_csk_reqsk_queue_add() failures 2019-03-19 13:13:23 +01:00
sysctl_net_ipv4.c ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns 2018-07-25 11:25:09 +02:00
tcp_bbr.c tcp_bbr: fix bw probing to raise in-flight data for very small BDPs 2018-08-03 07:50:44 +02:00
tcp_bic.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp_cdg.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp_cong.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
tcp_cubic.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp_dctcp.c tcp: remove DELAYED ACK events in DCTCP 2018-08-24 13:09:17 +02:00
tcp_diag.c tcp_diag: report TCP MD5 signing keys and addresses 2017-09-01 18:38:09 -07:00
tcp_fastopen.c net: add rb_to_skb() and other rb tree helpers 2018-09-19 22:43:47 +02:00
tcp_highspeed.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp_htcp.c tcp: fix cwnd undo in Reno and HTCP congestion controls 2017-08-06 21:25:10 -07:00
tcp_hybla.c tcp: make undo_cwnd mandatory for congestion modules 2016-11-21 13:20:17 -05:00
tcp_illinois.c net/tcp/illinois: replace broken algorithm reference link 2018-05-30 07:52:06 +02:00
tcp_input.c tcp: handle inet_csk_reqsk_queue_add() failures 2019-03-19 13:13:23 +01:00
tcp_ipv4.c tcp: Don't access TCP_SKB_CB before initializing it 2019-03-19 13:13:23 +01:00
tcp_lp.c tcp: switch TCP TS option (RFC 7323) to 1ms clock 2017-05-17 16:06:01 -04:00
tcp_metrics.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tcp_minisocks.c tcp: do not restart timewait timer on rst reception 2018-09-15 09:45:25 +02:00
tcp_nv.c tcp_nv: fix potential integer overflow in tcpnv_acked 2018-04-26 11:02:13 +02:00
tcp_offload.c gso: validate gso_type in GSO handlers 2018-01-31 14:03:47 +01:00
tcp_output.c tcp: lack of available data can also cause TSO defer 2018-12-17 09:28:55 +01:00
tcp_probe.c tcp: remove redundant argument from tcp_rcv_established() 2017-07-24 17:28:12 -07:00
tcp_rate.c tcp: invalidate rate samples during SACK reneging 2018-01-02 20:31:09 +01:00
tcp_recovery.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tcp_scalable.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp_timer.c tcp: purge write queue upon aborting the connection 2018-03-31 18:10:38 +02:00
tcp_ulp.c tcp, ulp: add alias for all ulp modules 2018-09-15 09:45:29 +02:00
tcp_vegas.c tcp: fix under-evaluated ssthresh in TCP Vegas 2017-12-25 14:26:30 +01:00
tcp_vegas.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tcp_veno.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp_westwood.c tcp: Revert "tcp: remove CA_ACK_SLOWPATH" 2017-08-30 11:20:08 -07:00
tcp_yeah.c tcp: consolidate congestion control undo functions 2017-08-06 21:25:10 -07:00
tcp.c tcp: clear icsk_backoff in tcp_write_queue_purge() 2019-02-23 09:06:43 +01:00
tunnel4.c tunnels: correct conditional build of MPLS and IPv6 2016-07-11 13:27:06 -07:00
udp_diag.c udp: fix rx queue len reported by diag and proc interface 2018-06-26 08:06:28 +08:00
udp_impl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udp_offload.c net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
udp_tunnel.c net: add infrastructure to un-offload UDP tunnel port 2017-07-24 13:52:59 -07:00
udp.c net: udp: fix handling of CHECKSUM_COMPLETE packets 2018-11-04 14:52:49 +01:00
udplite.c udplite: call proper backlog handlers 2016-11-24 15:32:14 -05:00
xfrm4_input.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-11-04 14:52:37 +01:00
xfrm4_mode_beet.c networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
xfrm4_mode_transport.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-11-04 14:52:37 +01:00
xfrm4_mode_tunnel.c xfrm: Add encapsulation header offsets while SKB is not encrypted 2017-04-14 10:07:39 +02:00
xfrm4_output.c xfrm: Add an IPsec hardware offloading API 2017-04-14 10:06:10 +02:00
xfrm4_policy.c ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu 2018-05-30 07:52:14 +02:00
xfrm4_protocol.c xfrm: input: constify xfrm_input_afinfo 2017-02-09 10:22:17 +01:00
xfrm4_state.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm4_tunnel.c