From patchwork Thu Nov 30 17:30:51 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Ahern X-Patchwork-Id: 10085397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 76F116035E for ; Thu, 30 Nov 2017 17:30:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 56306298C3 for ; Thu, 30 Nov 2017 17:30:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 498392A1FB; Thu, 30 Nov 2017 17:30:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DAA89298C3 for ; Thu, 30 Nov 2017 17:30:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752640AbdK3Ray (ORCPT ); Thu, 30 Nov 2017 12:30:54 -0500 Received: from mail-pl0-f65.google.com ([209.85.160.65]:41187 "EHLO mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752431AbdK3Rax (ORCPT ); Thu, 30 Nov 2017 12:30:53 -0500 Received: by mail-pl0-f65.google.com with SMTP id g2so4649441pli.8; Thu, 30 Nov 2017 09:30:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=NNAzLZWDCbA54jvSdwIN5R78N4Xww384YeKE8l9tEvk=; b=O8Sr70hpvmLiYMnpx6MZ5BBwtJ/bN+0sBwiW+6LNmVwU31KmYubI45dwDuYB/piz9g 3VdjaayMDHGGKQrv09L5ZzvUa5odGvQzGeytqVenpgdW6WvWz0KvtoZBGrFu0gQwktL5 SJ1R4ciEO5rXDTh/liJm/p7NpjAMpdB8PstLoMX3cq8idfRzemfrss9hGS0pUyMLonue OvrAig3oR+sqANSS7yQosXtkc/clgxsaU9RTT3vMvgbSpCyd5FYGWIKw9IWEhY0aKHkH DjGjw3irgMsWK8k8BtnNBoftJLEtTqTdbeBQP6wkAwvE4sxm6crbZP6XMOrG9zsFCSoN 9Smg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=NNAzLZWDCbA54jvSdwIN5R78N4Xww384YeKE8l9tEvk=; b=s8xw5kXIejLk9aeKDmlGw9/luaaxx4jnEc+hr3Nsp/mxdznqFJzLKsWJzZ6pYEt65i 7FXxJU4J/ED0ftk7fOYblQR0y0BmVmbnOVUSd/688f3YaDw+Aog2hppddngq1fyqZr+z 8W9sS03k3fYmtKwo+A6ImB0q/69Y79Sthzqfpl0aUhRYr0WWGlRIqwY2pOSaqB3B4emu SSYbaN2K3YPqzOK8TU93T64OKLgwW31g9k6vNXuwfbvArlB44Arj1RWC55YdY5jWdZPA gAwBAVtRz6WnKc3TYgsO4pJ2JHfBzqKz81b94OLxT+Ojn3aRshdH83C0CklYfNnTRxKd jgZQ== X-Gm-Message-State: AJaThX5SPDuzOcZALecqu12BdTDFvcxH6uXYrT8M+zY797MNK3FFAOa0 6nAPuclZMxLKjPxaq9ulzxmvyA== X-Google-Smtp-Source: AGs4zMaXwipy+RpQJUqvp/jnN4c6LXATYXyZdu9NkaPHNZyGseSEHiJLUmiG7UFXk49STbwoeOC4mA== X-Received: by 10.84.235.8 with SMTP id o8mr3384685plk.354.1512063053003; Thu, 30 Nov 2017 09:30:53 -0800 (PST) Received: from dsa-mb.local ([2601:282:800:7292:d8ac:b6cd:8a33:9628]) by smtp.googlemail.com with ESMTPSA id r9sm7269453pgp.93.2017.11.30.09.30.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Nov 2017 09:30:52 -0800 (PST) Subject: Re: [BUG] kernel stack corruption during/after Netlabel error From: David Ahern To: Eric Dumazet , Casey Schaufler , James Morris Cc: Paul Moore , netdev@vger.kernel.org, Stephen Smalley , selinux@tycho.nsa.gov, LSM References: <4d73f839-7a86-6edc-b44b-e296bd5947c2@schaufler-ca.com> <1512039044.19682.12.camel@gmail.com> Message-ID: Date: Thu, 30 Nov 2017 10:30:51 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP On 11/30/17 8:44 AM, David Ahern wrote: > On 11/30/17 3:50 AM, Eric Dumazet wrote: >> @@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb) >> >> th = (const struct tcphdr *)skb->data; >> iph = ip_hdr(skb); >> - /* This is tricky : We move IPCB at its correct location into TCP_SKB_CB() >> - * barrier() makes sure compiler wont play fool^Waliasing games. >> - */ >> - memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb), >> - sizeof(struct inet_skb_parm)); >> - barrier(); >> - >> - TCP_SKB_CB(skb)->seq = ntohl(th->seq); >> - TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin + >> - skb->len - th->doff * 4); >> - TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq); >> - TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th); >> - TCP_SKB_CB(skb)->tcp_tw_isn = 0; >> - TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph); >> - TCP_SKB_CB(skb)->sacked = 0; >> - TCP_SKB_CB(skb)->has_rxtstamp = >> - skb->tstamp || skb_hwtstamps(skb)->hwtstamp; >> - >> lookup: >> sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source, >> th->dest, sdif, &refcounted); > > I believe moving the above is going to affect lookups with VRF. Let me > take a look before this gets committed. > Eric: Can you add this to the patch? Fixes socket lookups with VRF which stashes a flag in the cb. Thanks, return false; --- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/include/net/tcp.h b/include/net/tcp.h index 4e09398009c1..6c020015d556 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -849,7 +849,7 @@ static inline bool inet_exact_dif_match(struct net *net, struct sk_buff *skb) { #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) if (!net->ipv4.sysctl_tcp_l3mdev_accept && - skb && ipv4_l3mdev_skb(TCP_SKB_CB(skb)->header.h4.flags)) + skb && ipv4_l3mdev_skb(IPCB(skb)->flags)) return true; #endif