From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Benedict Wong <benedictwong@google.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.3 10/67] xfrm: Check if_id in inbound policy/secpath match
Date: Thu, 25 May 2023 14:30:47 -0400 [thread overview]
Message-ID: <20230525183144.1717540-10-sashal@kernel.org> (raw)
In-Reply-To: <20230525183144.1717540-1-sashal@kernel.org>
From: Benedict Wong <benedictwong@google.com>
[ Upstream commit 8680407b6f8f5fba59e8f1d63c869abc280f04df ]
This change ensures that if configured in the policy, the if_id set in
the policy and secpath states match during the inbound policy check.
Without this, there is potential for ambiguity where entries in the
secpath differing by only the if_id could be mismatched.
Notably, this is checked in the outbound direction when resolving
templates to SAs, but not on the inbound path when matching SAs and
policies.
Test: Tested against Android kernel unit tests & CTS
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5c61ec04b839b..361b561908075 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3312,7 +3312,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
static inline int
xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
- unsigned short family)
+ unsigned short family, u32 if_id)
{
if (xfrm_state_kern(x))
return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
@@ -3323,7 +3323,8 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
(tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
!(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
!(x->props.mode != XFRM_MODE_TRANSPORT &&
- xfrm_state_addr_cmp(tmpl, x, family));
+ xfrm_state_addr_cmp(tmpl, x, family)) &&
+ (if_id == 0 || if_id == x->if_id);
}
/*
@@ -3335,7 +3336,7 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
*/
static inline int
xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
- unsigned short family)
+ unsigned short family, u32 if_id)
{
int idx = start;
@@ -3345,7 +3346,7 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star
} else
start = -1;
for (; idx < sp->len; idx++) {
- if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
+ if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
return ++idx;
if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
if (start == -1)
@@ -3730,7 +3731,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
* are implied between each two transformations.
*/
for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
- k = xfrm_policy_ok(tpp[i], sp, k, family);
+ k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
if (k < 0) {
if (k < -1)
/* "-2 - errored_index" returned */
--
2.39.2
next prev parent reply other threads:[~2023-05-25 18:33 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-25 18:30 [PATCH AUTOSEL 6.3 01/67] nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 02/67] nvme-pci: add quirk for missing secondary temperature thresholds Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 03/67] nvme-pci: clamp max_hw_sectors based on DMA optimized limitation Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 04/67] ASoC: amd: yc: Add DMI entry to support System76 Pangolin 12 Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 05/67] ASoC: dwc: limit the number of overrun messages Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 06/67] cpupower:Fix resource leaks in sysfs_get_enabled() Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 07/67] selftests/ftrace: Improve integration with kselftest runner Sasha Levin
2023-05-26 15:23 ` Mark Brown
2023-06-01 9:30 ` Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 08/67] ASoC: SOF: amd: Fix NULL pointer crash in acp_sof_ipc_msg_data function Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 09/67] um: harddog: fix modular build Sasha Levin
2023-05-25 18:30 ` Sasha Levin [this message]
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 11/67] ASoC: jz4740-i2s: Make I2S divider calculations more robust Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 12/67] ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 13/67] ALSA: hda/realtek: Add quirks for ASUS GU604V and GU603V Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 14/67] ASoC: ssm2602: Add workaround for playback distortions Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 15/67] media: dvb_demux: fix a bug for the continuity counter Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 16/67] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 17/67] media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 18/67] media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer() Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 19/67] media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 20/67] media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 21/67] media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address Sasha Levin
2023-05-25 18:30 ` [PATCH AUTOSEL 6.3 22/67] media: netup_unidvb: fix irq init by register it at the end of probe Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 23/67] media: dvb_ca_en50221: fix a size write bug Sasha Levin
2023-06-16 19:21 ` Pavel Machek
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 24/67] media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 25/67] media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 26/67] media: dvb-core: Fix use-after-free on race condition at dvb_frontend Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 27/67] media: dvb-core: Fix use-after-free due on race condition at dvb_net Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 28/67] media: dvb-core: Fix use-after-free due to race at dvb_register_device() Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 29/67] media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 30/67] media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 31/67] ASoC: SOF: debug: conditionally bump runtime_pm counter on exceptions Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 32/67] ASoC: SOF: pcm: fix pm_runtime imbalance in error handling Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 33/67] ASoC: SOF: sof-client-probes: " Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 34/67] ASoC: SOF: pm: save io region state in case of errors in resume Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 35/67] tipc: add tipc_bearer_min_mtu to calculate min mtu Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 36/67] s390/pkey: zeroize key blobs Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 37/67] s390/topology: honour nr_cpu_ids when adding CPUs Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 38/67] s390/ipl: fix IPIB virtual vs physical address confusion Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 39/67] ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 40/67] wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 41/67] ARM: dts: stm32: add pin map for CAN controller on stm32f7 Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 42/67] ARM: dts: stm32: add CAN support on stm32f746 Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 43/67] arm64/mm: mark private VM_FAULT_X defines as vm_fault_t Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 44/67] arm64: vdso: Pass (void *) to virt_to_page() Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 45/67] wifi: mac80211: simplify chanctx allocation Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 46/67] wifi: mac80211: consider reserved chanctx for mindef Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 47/67] wifi: mac80211: recalc chanctx mindef before assigning Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 48/67] wifi: iwlwifi: mvm: Add locking to the rate read flow Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 49/67] scsi: ufs: core: Fix MCQ tag calculation Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 50/67] scsi: ufs: core: Rename symbol sizeof_utp_transfer_cmd_desc() Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 51/67] scsi: ufs: core: Fix MCQ nr_hw_queues Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 52/67] scsi: Revert "scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed" Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 53/67] scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 54/67] wifi: b43: fix incorrect __packed annotation Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 55/67] net: wwan: t7xx: Ensure init is completed before system sleep Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 56/67] netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 57/67] nvme-multipath: don't call blk_mark_disk_dead in nvme_mpath_remove_disk Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 58/67] nvme: do not let the user delete a ctrl before a complete initialization Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 59/67] ALSA: oss: avoid missing-prototype warnings Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 60/67] drm/msm: Be more shouty if per-process pgtables aren't working Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 61/67] atm: hide unused procfs functions Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 62/67] mdio_bus: unhide mdio_bus_init prototype Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 63/67] ceph: silence smatch warning in reconnect_caps_cb() Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 64/67] drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 65/67] ublk: fix AB-BA lockdep warning Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 66/67] nvme-pci: Add quirk for Teamgroup MP33 SSD Sasha Levin
2023-05-25 18:31 ` [PATCH AUTOSEL 6.3 67/67] block: Deny writable memory mapping if block is read-only Sasha Levin
2023-05-25 19:02 ` [PATCH AUTOSEL 6.3 01/67] nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G Eric Biggers
2023-06-01 9:52 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230525183144.1717540-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=benedictwong@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox