[BUG] kernel stack corruption during/after Netlabel error

Message ID	d29937fd-dd04-8568-f89c-505ff725761a@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Subject: Re: [BUG] kernel stack corruption during/after Netlabel error From: David Ahern <dsahern@gmail.com> To: Eric Dumazet <eric.dumazet@gmail.com>, Casey Schaufler <casey@schaufler-ca.com>, James Morris <james.l.morris@oracle.com> Cc: Paul Moore <paul@paul-moore.com>, netdev@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov, LSM <linux-security-module@vger.kernel.org> References: <alpine.LFD.2.20.1711292113350.7808@localhost> <4d73f839-7a86-6edc-b44b-e296bd5947c2@schaufler-ca.com> <alpine.LFD.2.20.1711301130330.17322@localhost> <ae2e71e4-c366-5a1e-9fd6-4de944f4a158@schaufler-ca.com> <1512039044.19682.12.camel@gmail.com> <b92c6b3d-5c7e-9859-4bb2-b1a0aa64d86b@gmail.com> Message-ID: <d29937fd-dd04-8568-f89c-505ff725761a@gmail.com> Date: Thu, 30 Nov 2017 10:30:51 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <b92c6b3d-5c7e-9859-4bb2-b1a0aa64d86b@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Message ID

d29937fd-dd04-8568-f89c-505ff725761a@gmail.com (mailing list archive)

State

New, archived

Headers

Subject: Re: [BUG] kernel stack corruption during/after Netlabel error
From: David Ahern <dsahern@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	James Morris <james.l.morris@oracle.com>
Cc: Paul Moore <paul@paul-moore.com>, netdev@vger.kernel.org,
	Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov,
	LSM <linux-security-module@vger.kernel.org>
References: <alpine.LFD.2.20.1711292113350.7808@localhost>
	<4d73f839-7a86-6edc-b44b-e296bd5947c2@schaufler-ca.com>
	<alpine.LFD.2.20.1711301130330.17322@localhost>
	<ae2e71e4-c366-5a1e-9fd6-4de944f4a158@schaufler-ca.com>
	<1512039044.19682.12.camel@gmail.com>
	<b92c6b3d-5c7e-9859-4bb2-b1a0aa64d86b@gmail.com>
Message-ID: <d29937fd-dd04-8568-f89c-505ff725761a@gmail.com>
Date: Thu, 30 Nov 2017 10:30:51 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
	Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <b92c6b3d-5c7e-9859-4bb2-b1a0aa64d86b@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Commit Message

David Ahern Nov. 30, 2017, 5:30 p.m. UTC

On 11/30/17 8:44 AM, David Ahern wrote:
> On 11/30/17 3:50 AM, Eric Dumazet wrote:
>> @@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb)
>>  
>>  	th = (const struct tcphdr *)skb->data;
>>  	iph = ip_hdr(skb);
>> -	/* This is tricky : We move IPCB at its correct location into TCP_SKB_CB()
>> -	 * barrier() makes sure compiler wont play fool^Waliasing games.
>> -	 */
>> -	memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb),
>> -		sizeof(struct inet_skb_parm));
>> -	barrier();
>> -
>> -	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
>> -	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
>> -				    skb->len - th->doff * 4);
>> -	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
>> -	TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
>> -	TCP_SKB_CB(skb)->tcp_tw_isn = 0;
>> -	TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph);
>> -	TCP_SKB_CB(skb)->sacked	 = 0;
>> -	TCP_SKB_CB(skb)->has_rxtstamp =
>> -			skb->tstamp || skb_hwtstamps(skb)->hwtstamp;
>> -
>>  lookup:
>>  	sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
>>  			       th->dest, sdif, &refcounted);
> 
> I believe moving the above is going to affect lookups with VRF. Let me
> take a look before this gets committed.
> 

Eric:

Can you add this to the patch? Fixes socket lookups with VRF which
stashes a flag in the cb.

Thanks,

        return false;
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Eric Dumazet Nov. 30, 2017, 5:57 p.m. UTC | #1

On Thu, 2017-11-30 at 10:30 -0700, David Ahern wrote:
> On 11/30/17 8:44 AM, David Ahern wrote:
> > On 11/30/17 3:50 AM, Eric Dumazet wrote:
> > > @@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb)
> > >  
> > >  	th = (const struct tcphdr *)skb->data;
> > >  	iph = ip_hdr(skb);
> > > -	/* This is tricky : We move IPCB at its correct location
> > > into TCP_SKB_CB()
> > > -	 * barrier() makes sure compiler wont play
> > > fool^Waliasing games.
> > > -	 */
> > > -	memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb),
> > > -		sizeof(struct inet_skb_parm));
> > > -	barrier();
> > > -
> > > -	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
> > > -	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th-
> > > >syn + th->fin +
> > > -				    skb->len - th->doff * 4);
> > > -	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
> > > -	TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
> > > -	TCP_SKB_CB(skb)->tcp_tw_isn = 0;
> > > -	TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph);
> > > -	TCP_SKB_CB(skb)->sacked	 = 0;
> > > -	TCP_SKB_CB(skb)->has_rxtstamp =
> > > -			skb->tstamp || skb_hwtstamps(skb)-
> > > >hwtstamp;
> > > -
> > >  lookup:
> > >  	sk = __inet_lookup_skb(&tcp_hashinfo, skb,
> > > __tcp_hdrlen(th), th->source,
> > >  			       th->dest, sdif, &refcounted);
> > 
> > I believe moving the above is going to affect lookups with VRF. Let
> > me
> > take a look before this gets committed.
> > 
> 
> Eric:
> 
> Can you add this to the patch? Fixes socket lookups with VRF which
> stashes a flag in the cb.
> 
> Thanks,
> 
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index 4e09398009c1..6c020015d556 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -849,7 +849,7 @@ static inline bool inet_exact_dif_match(struct
> net
> *net, struct sk_buff *skb)
>  {
>  #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV)
>         if (!net->ipv4.sysctl_tcp_l3mdev_accept &&
> -           skb && ipv4_l3mdev_skb(TCP_SKB_CB(skb)->header.h4.flags))
> +           skb && ipv4_l3mdev_skb(IPCB(skb)->flags))
>                 return true;
>  #endif
>         return false;


I wonder if this should not be in a separate patch ?

Bug was added in 971f10eca186cab238c49daa91f703c5a001b0b1 ("tcp: better
TCP_SKB_CB layout to reduce cache line misses")  in linux 3.18

While VRF was added later.

If you agree, I will prepare a patch series, with different Fixes tag
so that David can decide which path needs to be backported into each
stable version.

Thanks.

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Ahern Nov. 30, 2017, 6:03 p.m. UTC | #2

On 11/30/17 10:57 AM, Eric Dumazet wrote:
> I wonder if this should not be in a separate patch ?
> 
> Bug was added in 971f10eca186cab238c49daa91f703c5a001b0b1 ("tcp: better
> TCP_SKB_CB layout to reduce cache line misses")  in linux 3.18
> 
> While VRF was added later.
> 
> If you agree, I will prepare a patch series, with different Fixes tag
> so that David can decide which path needs to be backported into each
> stable version.
> 

That's sound fine to me.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Casey Schaufler Nov. 30, 2017, 6:16 p.m. UTC | #3

On 11/30/2017 9:57 AM, Eric Dumazet wrote:
> On Thu, 2017-11-30 at 10:30 -0700, David Ahern wrote:
>> On 11/30/17 8:44 AM, David Ahern wrote:
>>> On 11/30/17 3:50 AM, Eric Dumazet wrote:
>>>> @@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb)
>>>>  
>>>>  	th = (const struct tcphdr *)skb->data;
>>>>  	iph = ip_hdr(skb);
>>>> -	/* This is tricky : We move IPCB at its correct location
>>>> into TCP_SKB_CB()
>>>> -	 * barrier() makes sure compiler wont play
>>>> fool^Waliasing games.
>>>> -	 */
>>>> -	memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb),
>>>> -		sizeof(struct inet_skb_parm));
>>>> -	barrier();
>>>> -
>>>> -	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
>>>> -	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th-
>>>>> syn + th->fin +
>>>> -				    skb->len - th->doff * 4);
>>>> -	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
>>>> -	TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
>>>> -	TCP_SKB_CB(skb)->tcp_tw_isn = 0;
>>>> -	TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph);
>>>> -	TCP_SKB_CB(skb)->sacked	 = 0;
>>>> -	TCP_SKB_CB(skb)->has_rxtstamp =
>>>> -			skb->tstamp || skb_hwtstamps(skb)-
>>>>> hwtstamp;
>>>> -
>>>>  lookup:
>>>>  	sk = __inet_lookup_skb(&tcp_hashinfo, skb,
>>>> __tcp_hdrlen(th), th->source,
>>>>  			       th->dest, sdif, &refcounted);
>>> I believe moving the above is going to affect lookups with VRF. Let
>>> me
>>> take a look before this gets committed.
>>>
>> Eric:
>>
>> Can you add this to the patch? Fixes socket lookups with VRF which
>> stashes a flag in the cb.

I've done my testing and it works both ways for Smack.


>>
>> Thanks,
>>
>> diff --git a/include/net/tcp.h b/include/net/tcp.h
>> index 4e09398009c1..6c020015d556 100644
>> --- a/include/net/tcp.h
>> +++ b/include/net/tcp.h
>> @@ -849,7 +849,7 @@ static inline bool inet_exact_dif_match(struct
>> net
>> *net, struct sk_buff *skb)
>>  {
>>  #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV)
>>         if (!net->ipv4.sysctl_tcp_l3mdev_accept &&
>> -           skb && ipv4_l3mdev_skb(TCP_SKB_CB(skb)->header.h4.flags))
>> +           skb && ipv4_l3mdev_skb(IPCB(skb)->flags))
>>                 return true;
>>  #endif
>>         return false;
>
> I wonder if this should not be in a separate patch ?
>
> Bug was added in 971f10eca186cab238c49daa91f703c5a001b0b1 ("tcp: better
> TCP_SKB_CB layout to reduce cache line misses")  in linux 3.18
>
> While VRF was added later.
>
> If you agree, I will prepare a patch series, with different Fixes tag
> so that David can decide which path needs to be backported into each
> stable version.
>
> Thanks.
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 4e09398009c1..6c020015d556 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -849,7 +849,7 @@  static inline bool inet_exact_dif_match(struct net
*net, struct sk_buff *skb)
 {
 #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV)
        if (!net->ipv4.sysctl_tcp_l3mdev_accept &&
-           skb && ipv4_l3mdev_skb(TCP_SKB_CB(skb)->header.h4.flags))
+           skb && ipv4_l3mdev_skb(IPCB(skb)->flags))
                return true;
 #endif

[BUG] kernel stack corruption during/after Netlabel error

Commit Message

Comments

Patch