The following commits are needed to fix CVE-2021-20322: ipv4: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
ipv6: [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
Commit [2] is already present in 4.19 stable, so backport the remaining three fixes with minor context adjustments.
Eric Dumazet (3): ipv4: use siphash instead of Jenkins in fnhe_hashfun() ipv6: use siphash in rt6_exception_hash() ipv6: make exception cache less predictible
net/ipv4/route.c | 12 ++++++------ net/ipv6/route.c | 25 ++++++++++++++++++------- 2 files changed, 24 insertions(+), 13 deletions(-)
From: Eric Dumazet edumazet@google.com
commit 6457378fe796815c973f631a1904e147d6ee33b1 upstream.
A group of security researchers brought to our attention the weakness of hash function used in fnhe_hashfun().
Lets use siphash instead of Jenkins Hash, to considerably reduce security risks.
Also remove the inline keyword, this really is distracting.
Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: Keyu Man kman001@ucr.edu Cc: Willy Tarreau w@1wt.eu Signed-off-by: David S. Miller davem@davemloft.net [OP: adjusted context for 4.19 stable] Signed-off-by: Ovidiu Panait ovidiu.panait@windriver.com --- net/ipv4/route.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 730a15fc497c..b41d4acc57e6 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -625,14 +625,14 @@ static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash) kfree_rcu(oldest, rcu); }
-static inline u32 fnhe_hashfun(__be32 daddr) +static u32 fnhe_hashfun(__be32 daddr) { - static u32 fnhe_hashrnd __read_mostly; - u32 hval; + static siphash_key_t fnhe_hash_key __read_mostly; + u64 hval;
- net_get_random_once(&fnhe_hashrnd, sizeof(fnhe_hashrnd)); - hval = jhash_1word((__force u32) daddr, fnhe_hashrnd); - return hash_32(hval, FNHE_HASH_SHIFT); + net_get_random_once(&fnhe_hash_key, sizeof(fnhe_hash_key)); + hval = siphash_1u32((__force u32)daddr, &fnhe_hash_key); + return hash_64(hval, FNHE_HASH_SHIFT); }
static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
From: Eric Dumazet edumazet@google.com
commit 4785305c05b25a242e5314cc821f54ade4c18810 upstream.
A group of security researchers brought to our attention the weakness of hash function used in rt6_exception_hash()
Lets use siphash instead of Jenkins Hash, to considerably reduce security risks.
Following patch deals with IPv4.
Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: Keyu Man kman001@ucr.edu Cc: Wei Wang weiwan@google.com Cc: Martin KaFai Lau kafai@fb.com Acked-by: Wei Wang weiwan@google.com Signed-off-by: David S. Miller davem@davemloft.net [OP: adjusted context for 4.19 stable] Signed-off-by: Ovidiu Panait ovidiu.panait@windriver.com --- net/ipv6/route.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index f884739a0c1c..9bc806a4ded6 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -45,6 +45,7 @@ #include <linux/nsproxy.h> #include <linux/slab.h> #include <linux/jhash.h> +#include <linux/siphash.h> #include <net/net_namespace.h> #include <net/snmp.h> #include <net/ipv6.h> @@ -1337,17 +1338,24 @@ static void rt6_exception_remove_oldest(struct rt6_exception_bucket *bucket) static u32 rt6_exception_hash(const struct in6_addr *dst, const struct in6_addr *src) { - static u32 seed __read_mostly; - u32 val; + static siphash_key_t rt6_exception_key __read_mostly; + struct { + struct in6_addr dst; + struct in6_addr src; + } __aligned(SIPHASH_ALIGNMENT) combined = { + .dst = *dst, + }; + u64 val;
- net_get_random_once(&seed, sizeof(seed)); - val = jhash(dst, sizeof(*dst), seed); + net_get_random_once(&rt6_exception_key, sizeof(rt6_exception_key));
#ifdef CONFIG_IPV6_SUBTREES if (src) - val = jhash(src, sizeof(*src), val); + combined.src = *src; #endif - return hash_32(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT); + val = siphash(&combined, sizeof(combined), &rt6_exception_key); + + return hash_64(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT); }
/* Helper function to find the cached rt in the hash table
On Thu, Oct 28, 2021 at 10:08:58PM +0300, Ovidiu Panait wrote:
The following commits are needed to fix CVE-2021-20322: ipv4: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
ipv6: [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
Commit [2] is already present in 4.19 stable, so backport the remaining three fixes with minor context adjustments.
Eric Dumazet (3): ipv4: use siphash instead of Jenkins in fnhe_hashfun() ipv6: use siphash in rt6_exception_hash() ipv6: make exception cache less predictible
net/ipv4/route.c | 12 ++++++------ net/ipv6/route.c | 25 ++++++++++++++++++------- 2 files changed, 24 insertions(+), 13 deletions(-)
-- 2.25.1
You sent 0/3 but only 2 patches showed up?
Can you please resend all 3?
thanks,
greg k-h
Hi Greg,
On 29.10.2021 10:39, Greg KH wrote:
[Please note: This e-mail is from an EXTERNAL e-mail address]
On Thu, Oct 28, 2021 at 10:08:58PM +0300, Ovidiu Panait wrote:
The following commits are needed to fix CVE-2021-20322: ipv4: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
ipv6: [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
Commit [2] is already present in 4.19 stable, so backport the remaining three fixes with minor context adjustments.
Eric Dumazet (3): ipv4: use siphash instead of Jenkins in fnhe_hashfun() ipv6: use siphash in rt6_exception_hash() ipv6: make exception cache less predictible
net/ipv4/route.c | 12 ++++++------ net/ipv6/route.c | 25 ++++++++++++++++++------- 2 files changed, 24 insertions(+), 13 deletions(-)
-- 2.25.1
You sent 0/3 but only 2 patches showed up?
Can you please resend all 3?
I tried resending the full patchset, but the last patch is still not showing up.
git send-email doesn't report any errors:
OK. Log says: MAIL FROM:ovidiu.panait@windriver.com RCPT TO:stable@vger.kernel.org RCPT TO:gregkh@linuxfoundation.org From: Ovidiu Panait ovidiu.panait@windriver.com To: stable@vger.kernel.org Cc: gregkh@linuxfoundation.org Subject: [PATCH 4.19 3/3] ipv6: make exception cache less predictible Date: Fri, 29 Oct 2021 10:50:27 +0300 Message-Id: 20211029075027.1910142-4-ovidiu.panait@windriver.com X-Mailer: git-send-email 2.25.1 In-Reply-To: 20211029075027.1910142-1-ovidiu.panait@windriver.com References: 20211029075027.1910142-1-ovidiu.panait@windriver.com MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Result: 250
I have attached the 4.19 backport of a00df2caffed ("ipv6: make exception cache less predictible").
Ovidiu
thanks,
greg k-h
On Fri, Oct 29, 2021 at 11:17:16AM +0300, Ovidiu Panait wrote:
Hi Greg,
On 29.10.2021 10:39, Greg KH wrote:
[Please note: This e-mail is from an EXTERNAL e-mail address]
On Thu, Oct 28, 2021 at 10:08:58PM +0300, Ovidiu Panait wrote:
The following commits are needed to fix CVE-2021-20322: ipv4: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
ipv6: [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
Commit [2] is already present in 4.19 stable, so backport the remaining three fixes with minor context adjustments.
Eric Dumazet (3): ipv4: use siphash instead of Jenkins in fnhe_hashfun() ipv6: use siphash in rt6_exception_hash() ipv6: make exception cache less predictible
net/ipv4/route.c | 12 ++++++------ net/ipv6/route.c | 25 ++++++++++++++++++------- 2 files changed, 24 insertions(+), 13 deletions(-)
-- 2.25.1
You sent 0/3 but only 2 patches showed up?
Can you please resend all 3?
I tried resending the full patchset, but the last patch is still not showing up.
git send-email doesn't report any errors:
OK. Log says: MAIL FROM:ovidiu.panait@windriver.com RCPT TO:stable@vger.kernel.org RCPT TO:gregkh@linuxfoundation.org From: Ovidiu Panait ovidiu.panait@windriver.com To: stable@vger.kernel.org Cc: gregkh@linuxfoundation.org Subject: [PATCH 4.19 3/3] ipv6: make exception cache less predictible Date: Fri, 29 Oct 2021 10:50:27 +0300 Message-Id: 20211029075027.1910142-4-ovidiu.panait@windriver.com X-Mailer: git-send-email 2.25.1 In-Reply-To: 20211029075027.1910142-1-ovidiu.panait@windriver.com References: 20211029075027.1910142-1-ovidiu.panait@windriver.com MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Result: 250
I have attached the 4.19 backport of a00df2caffed ("ipv6: make exception cache less predictible").
Odd, it did not come to me either. I've taken the attached file, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Ovidiu Panait