diff mbox series

[ipsec,2/2] xfrm: Log input direction mismatch error in one place

Message ID 50e4e7fd0b978aaa4721f022a3d5737c377c8375.1718087437.git.antony.antony@secunet.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [ipsec,1/2] xfrm: Fix input error path memory access | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 855 this patch: 855
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 1 blamed authors not CCed: nicolas.dichtel@6wind.com; 2 maintainers not CCed: nicolas.dichtel@6wind.com dsahern@kernel.org
netdev/build_clang success Errors and warnings before: 854 this patch: 854
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 859 this patch: 859
netdev/checkpatch warning WARNING: line length of 82 exceeds 80 columns
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Antony Antony June 11, 2024, 6:32 a.m. UTC 
Previously, the offload data path decrypted the packet before checking
the direction, leading to error logging and packet dropping. However,
dropped packets wouldn't be visible in tcpdump or audit log.

With this fix, the offload path, upon noticing SA direction mismatch,
will pass the packet to the stack without decrypting it. The L3 layer
will then log the error, audit, and drop ESP without decrypting or
decapsulating it.

This also ensures that the slow path records the error and audit log,
making dropped packets visible in tcpdump.

Fixes: 304b44f0d5a4 ("xfrm: Add dir validation to "in" data path lookup")
Signed-off-by: Antony Antony <antony.antony@secunet.com>
---
 net/ipv4/esp4_offload.c | 7 +++++++
 net/ipv6/esp6_offload.c | 7 +++++++
 net/xfrm/xfrm_input.c   | 5 -----
 3 files changed, 14 insertions(+), 5 deletions(-)

Comments

Simon Horman June 14, 2024, 12:10 p.m. UTC | #1 
On Tue, Jun 11, 2024 at 08:32:15AM +0200, Antony Antony wrote:
> Previously, the offload data path decrypted the packet before checking
> the direction, leading to error logging and packet dropping. However,
> dropped packets wouldn't be visible in tcpdump or audit log.
> 
> With this fix, the offload path, upon noticing SA direction mismatch,
> will pass the packet to the stack without decrypting it. The L3 layer
> will then log the error, audit, and drop ESP without decrypting or
> decapsulating it.
> 
> This also ensures that the slow path records the error and audit log,
> making dropped packets visible in tcpdump.
> 
> Fixes: 304b44f0d5a4 ("xfrm: Add dir validation to "in" data path lookup")
> Signed-off-by: Antony Antony <antony.antony@secunet.com>

Thanks Antony,

The comment below notwithstanding, this looks good to me.
Reviewed-by: Simon Horman <horms@kernel.org>

> ---
>  net/ipv4/esp4_offload.c | 7 +++++++
>  net/ipv6/esp6_offload.c | 7 +++++++
>  net/xfrm/xfrm_input.c   | 5 -----
>  3 files changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
> index b3271957ad9a..3f28ecbdcaef 100644
> --- a/net/ipv4/esp4_offload.c
> +++ b/net/ipv4/esp4_offload.c
> @@ -56,6 +56,13 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
>  		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
>  				      (xfrm_address_t *)&ip_hdr(skb)->daddr,
>  				      spi, IPPROTO_ESP, AF_INET);
> +
> +		if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
> +			/* non-offload path will record the error and audit log */
> +			xfrm_state_put(x);
> +			x = NULL;
> +		}
> +
>  		if (!x)
>  			goto out_reset;
>  
> diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
> index 527b7caddbc6..919ebfabbe4e 100644
> --- a/net/ipv6/esp6_offload.c
> +++ b/net/ipv6/esp6_offload.c
> @@ -83,6 +83,13 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
>  		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
>  				      (xfrm_address_t *)&ipv6_hdr(skb)->daddr,
>  				      spi, IPPROTO_ESP, AF_INET6);
> +
> +		if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
> +			/* non-offload path will record the error and audit log */
> +			xfrm_state_put(x);
> +			x = NULL;
> +		}
> +
>  		if (!x)
>  			goto out_reset;
>  

The logic in the two hunks above seems to be duplicated.
FWIIW, I think it would be nice to consolidate it.

...
Steffen Klassert June 18, 2024, 7:47 a.m. UTC | #2 
On Tue, Jun 11, 2024 at 08:32:15AM +0200, Antony Antony wrote:
> Previously, the offload data path decrypted the packet before checking
> the direction, leading to error logging and packet dropping. However,
> dropped packets wouldn't be visible in tcpdump or audit log.
> 
> With this fix, the offload path, upon noticing SA direction mismatch,
> will pass the packet to the stack without decrypting it. The L3 layer
> will then log the error, audit, and drop ESP without decrypting or
> decapsulating it.
> 
> This also ensures that the slow path records the error and audit log,
> making dropped packets visible in tcpdump.
> 
> Fixes: 304b44f0d5a4 ("xfrm: Add dir validation to "in" data path lookup")
> Signed-off-by: Antony Antony <antony.antony@secunet.com>

Also applied, thanks a lot!
diff mbox series

Patch

diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index b3271957ad9a..3f28ecbdcaef 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -56,6 +56,13 @@  static struct sk_buff *esp4_gro_receive(struct list_head *head,
 		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
 				      (xfrm_address_t *)&ip_hdr(skb)->daddr,
 				      spi, IPPROTO_ESP, AF_INET);
+
+		if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			/* non-offload path will record the error and audit log */
+			xfrm_state_put(x);
+			x = NULL;
+		}
+
 		if (!x)
 			goto out_reset;
 
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 527b7caddbc6..919ebfabbe4e 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -83,6 +83,13 @@  static struct sk_buff *esp6_gro_receive(struct list_head *head,
 		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
 				      (xfrm_address_t *)&ipv6_hdr(skb)->daddr,
 				      spi, IPPROTO_ESP, AF_INET6);
+
+		if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
+			/* non-offload path will record the error and audit log */
+			xfrm_state_put(x);
+			x = NULL;
+		}
+
 		if (!x)
 			goto out_reset;
 
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 63c004103912..e95462b982b0 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -474,11 +474,6 @@  int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 	if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) {
 		x = xfrm_input_state(skb);
 
-		if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
-			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEDIRERROR);
-			goto drop;
-		}
-
 		if (unlikely(x->km.state != XFRM_STATE_VALID)) {
 			if (x->km.state == XFRM_STATE_ACQ)
 				XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);