Tomas Charvat tc@excello.cz wrote:
[ CC stable, Steffen ]
Hi Florian and David, I'm running several servers that use XFRM ipsec. It do work well on all kernels bellow 4.14.0.
It doesnt work on 4.14.0-2. There is no any error in dmesg or in userspace when I do configure policies.
Since there is not much info about XFRM in dmesg I have no clue, where to start when I want to debug this issue.
David, please consider picking up 94802151894d482e82c324edf2c658f8e6b96508 ("Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.")
for the 4.14.y stable queue.
I think its a pretty safe bet that this fixes the problem, it broke transport mode wildcard policy lookup.
I have seen that you have removed flow-cache that we have fixed 2 time. Do you have clue where to start with debug of this issue ?
If the revert doesn't help, please do a bug report to netdev@vger.kernel.org and provide /proc/net/xfrm_stat content and the list of policies/SAs.
From: Florian Westphal fw@strlen.de Date: Fri, 24 Nov 2017 20:32:12 +0100
Tomas Charvat tc@excello.cz wrote:
[ CC stable, Steffen ]
Hi Florian and David, I'm running several servers that use XFRM ipsec. It do work well on all kernels bellow 4.14.0.
It doesnt work on 4.14.0-2. There is no any error in dmesg or in userspace when I do configure policies.
Since there is not much info about XFRM in dmesg I have no clue, where to start when I want to debug this issue.
David, please consider picking up 94802151894d482e82c324edf2c658f8e6b96508 ("Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.")
for the 4.14.y stable queue.
I think its a pretty safe bet that this fixes the problem, it broke transport mode wildcard policy lookup.
Ok, once we have confirmation that this fixes it I also need to pair it up with Steffen's alternative fix for the bug that commit was trying to fix.
On Sat, Nov 25, 2017 at 04:50:31AM +0900, David Miller wrote:
From: Florian Westphal fw@strlen.de Date: Fri, 24 Nov 2017 20:32:12 +0100
Tomas Charvat tc@excello.cz wrote:
[ CC stable, Steffen ]
Hi Florian and David, I'm running several servers that use XFRM ipsec. It do work well on all kernels bellow 4.14.0.
It doesnt work on 4.14.0-2. There is no any error in dmesg or in userspace when I do configure policies.
Since there is not much info about XFRM in dmesg I have no clue, where to start when I want to debug this issue.
David, please consider picking up 94802151894d482e82c324edf2c658f8e6b96508 ("Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.")
for the 4.14.y stable queue.
I think its a pretty safe bet that this fixes the problem, it broke transport mode wildcard policy lookup.
Ok, once we have confirmation that this fixes it I also need to pair it up with Steffen's alternative fix for the bug that commit was trying to fix.
We need this revert in the 4.14.y stable tree anyway as it broke transport mode IPsec.
I thought quite a lot about the original problem that I tried to fix. It is a rather subtile thing, like almost all bugs reported from syzcaller I have seen.
In between I think our template validation is not strict enough. It is possible to configure policies with transport mode template where the selector address family does not match the templates address family. The address family can not change on a transport mode transformation, so this configuration does not make much sense but lead to problems because we use the assumption that the address family can not change on thransport mode later on.
Unfortunately the reproducer provided by syzcaller does not trigger anything on my test setup, so I don't even know if this fixes this exact problem.
Florian, could you please give the patch blelow a try?
Subject: [PATCH] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
On policies with a transport mode template, we pass the addresses from the flowi to xfrm_state_find(), assuming that the IP addresses (and address family) don't change during transformation.
Unfortunately our policy template validation is not strict enough. It is possible to configure policies with transport mode template where the address family of the template does not match the selectors address family. This lead to stack-out-of-bound reads because we compare arddesses of the wrong family. Fix this by refusing such a configuration, address family can not change on transport mode.
We use the assumption that, on transport mode, the first templates address family must match the address family of the policy selector. Subsequent transport mode templates must match the address family of the previous template.
Signed-off-by: Steffen Klassert steffen.klassert@secunet.com --- net/xfrm/xfrm_user.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 983b0233767b..57ad016ae675 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1419,11 +1419,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) { + u16 prev_family; int i;
if (nr > XFRM_MAX_DEPTH) return -EINVAL;
+ prev_family = family; + for (i = 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1435,6 +1438,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) if (!ut[i].family) ut[i].family = family;
+ if ((ut[i].mode == XFRM_MODE_TRANSPORT) && + (ut[i].family != prev_family)) + return -EINVAL; + + prev_family = ut[i].family; + switch (ut[i].family) { case AF_INET: break;
Steffen Klassert steffen.klassert@secunet.com wrote:
On Sat, Nov 25, 2017 at 04:50:31AM +0900, David Miller wrote:
From: Florian Westphal fw@strlen.de Date: Fri, 24 Nov 2017 20:32:12 +0100
Tomas Charvat tc@excello.cz wrote:
[ CC stable, Steffen ]
Hi Florian and David, I'm running several servers that use XFRM ipsec. It do work well on all kernels bellow 4.14.0.
It doesnt work on 4.14.0-2. There is no any error in dmesg or in userspace when I do configure policies.
Since there is not much info about XFRM in dmesg I have no clue, where to start when I want to debug this issue.
David, please consider picking up 94802151894d482e82c324edf2c658f8e6b96508 ("Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.")
for the 4.14.y stable queue.
I think its a pretty safe bet that this fixes the problem, it broke transport mode wildcard policy lookup.
Ok, once we have confirmation that this fixes it I also need to pair it up with Steffen's alternative fix for the bug that commit was trying to fix.
We need this revert in the 4.14.y stable tree anyway as it broke transport mode IPsec.
I thought quite a lot about the original problem that I tried to fix. It is a rather subtile thing, like almost all bugs reported from syzcaller I have seen.
In between I think our template validation is not strict enough. It is possible to configure policies with transport mode template where the selector address family does not match the templates address family. The address family can not change on a transport mode transformation, so this configuration does not make much sense but lead to problems because we use the assumption that the address family can not change on thransport mode later on.
Unfortunately the reproducer provided by syzcaller does not trigger anything on my test setup, so I don't even know if this fixes this exact problem.
Florian, could you please give the patch blelow a try?
Doesn't help.
static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) {
- u16 prev_family; int i;
if (nr > XFRM_MAX_DEPTH) return -EINVAL;
- prev_family = family;
family is AF_INET6 (10), nr is 1.
for (i = 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1435,6 +1438,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) if (!ut[i].family) ut[i].family = family;
if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&(ut[i].family != prev_family))return -EINVAL;
mode is XFRM_MODE_TRANSPORT, family == prev_family (10), so no -EINVAL here.
Socket is AF_INET6. setsockopt(3, SOL_IPV6, 0x23 /* IPV6_??? */, ... sendto(3, "", 0, MSG_EOR|MSG_NOSIGNAL|0x10, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EAGAIN (Resource temporarily unavailable)
and then used with AF_INET address, which causes the KASAN warning as we feed xfrm_state_find with on-stack ipv4 addresses.
On Mon, Nov 27, 2017 at 11:39:40AM +0100, Florian Westphal wrote:
Steffen Klassert steffen.klassert@secunet.com wrote:
Florian, could you please give the patch blelow a try?
Doesn't help.
Thanks for testing!
static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) {
- u16 prev_family; int i;
if (nr > XFRM_MAX_DEPTH) return -EINVAL;
- prev_family = family;
family is AF_INET6 (10), nr is 1.
for (i = 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1435,6 +1438,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) if (!ut[i].family) ut[i].family = family;
if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&(ut[i].family != prev_family))return -EINVAL;mode is XFRM_MODE_TRANSPORT, family == prev_family (10), so no -EINVAL here.
Socket is AF_INET6. setsockopt(3, SOL_IPV6, 0x23 /* IPV6_??? */, ... sendto(3, "", 0, MSG_EOR|MSG_NOSIGNAL|0x10, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EAGAIN (Resource temporarily unavailable)
and then used with AF_INET address, which causes the KASAN warning as we feed xfrm_state_find with on-stack ipv4 addresses.
This means that a policy with IPv6 selector matched an IPv4 flow, hmm. This is probably because most selector fields are wildcard. We could catch this by checking the address families of selector and flow in xfrm_sk_policy_lookup() before the policy match().
I'll try to get the reproducer to work here so that I don't need to bother you with this, thanks again!
On Mon, Nov 27, 2017 at 11:39:40AM +0100, Florian Westphal wrote:
Steffen Klassert steffen.klassert@secunet.com wrote:
In between I think our template validation is not strict enough. It is possible to configure policies with transport mode template where the selector address family does not match the templates address family. The address family can not change on a transport mode transformation, so this configuration does not make much sense but lead to problems because we use the assumption that the address family can not change on thransport mode later on.
Unfortunately the reproducer provided by syzcaller does not trigger anything on my test setup, so I don't even know if this fixes this exact problem.
I had to update my compliler, now I can reproduce the problem.
Florian, could you please give the patch blelow a try?
Doesn't help.
It does not fix this problem, but the one referenced here:
https://lkml.org/lkml/2017/11/22/414
I knew it fixes something :-)
The bug we are talking about here should be fixed with the patch below.
Subject: [PATCH] xfrm: Fix stack-out-of-bounds read on socket policy lookup.
When we do tunnel or beet mode, we pass saddr and daddr from the template to xfrm_state_find(), this is ok. On transport mode, we pass the addresses from the flowi, assuming that the IP addresses (and address family) don't change during transformation. This assumption is wrong in the IPv4 mapped IPv6 case, packet is IPv4 and template is IPv6.
Fix this by catching address family missmatches of the policy and the flow already before we do the lookup.
Signed-off-by: Steffen Klassert steffen.klassert@secunet.com --- net/xfrm/xfrm_policy.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 9542975eb2f9..038ec68f6901 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, again: pol = rcu_dereference(sk->sk_policy[dir]); if (pol != NULL) { - bool match = xfrm_selector_match(&pol->selector, fl, family); + bool match; int err = 0;
+ if (pol->family != family) { + pol = NULL; + goto out; + } + + match = xfrm_selector_match(&pol->selector, fl, family); if (match) { if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { pol = NULL;
linux-stable-mirror@lists.linaro.org
-
David Miller -
Florian Westphal -
Steffen Klassert