[PATCH net] ipv4: Fix incorrect table ID in IOCTL path

[PATCH net] ipv4: Fix incorrect table ID in IOCTL path

[Ido Schimmel]

Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source
address is deleted") started to take the table ID field in the FIB info
structure into account when determining if two structures are identical
or not. This field is initialized using the 'fc_table' field in the
route configuration structure, which is not set when adding a route via
IOCTL.

The above can result in user space being able to install two identical
routes that only differ in the table ID field of their associated FIB
info.

Fix by initializing the table ID field in the route configuration
structure in the IOCTL path.

Before the fix:

 # ip route add default via 192.0.2.2
 # route add default gw 192.0.2.2
 # ip -4 r show default
 # default via 192.0.2.2 dev dummy10
 # default via 192.0.2.2 dev dummy10

After the fix:

 # ip route add default via 192.0.2.2
 # route add default gw 192.0.2.2
 SIOCADDRT: File exists
 # ip -4 r show default
 default via 192.0.2.2 dev dummy10

Audited the code paths to ensure there are no other paths that do not
properly initialize the route configuration structure when installing a
route.

Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted")
Reported-by: gaoxingwang <gaoxingwang1@huawei.com>
Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/
Tested-by: gaoxingwang <gaoxingwang1@huawei.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/ipv4/fib_frontend.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index b5736ef16ed2..390f4be7f7be 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -576,6 +576,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt,
 			cfg->fc_scope = RT_SCOPE_UNIVERSE;
 	}
 
+	if (!cfg->fc_table)
+		cfg->fc_table = RT_TABLE_MAIN;
+
 	if (cmd == SIOCDELRT)
 		return 0;
 
-- 
2.37.3

Re: [PATCH net] ipv4: Fix incorrect table ID in IOCTL path

[David Ahern]

On 3/15/23 6:40 AM, Ido Schimmel wrote:
> Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source
> address is deleted") started to take the table ID field in the FIB info
> structure into account when determining if two structures are identical
> or not. This field is initialized using the 'fc_table' field in the
> route configuration structure, which is not set when adding a route via
> IOCTL.
> 
> The above can result in user space being able to install two identical
> routes that only differ in the table ID field of their associated FIB
> info.
> 
> Fix by initializing the table ID field in the route configuration
> structure in the IOCTL path.
> 
> Before the fix:
> 
>  # ip route add default via 192.0.2.2
>  # route add default gw 192.0.2.2
>  # ip -4 r show default
>  # default via 192.0.2.2 dev dummy10
>  # default via 192.0.2.2 dev dummy10
> 
> After the fix:
> 
>  # ip route add default via 192.0.2.2
>  # route add default gw 192.0.2.2
>  SIOCADDRT: File exists
>  # ip -4 r show default
>  default via 192.0.2.2 dev dummy10
> 
> Audited the code paths to ensure there are no other paths that do not
> properly initialize the route configuration structure when installing a
> route.
> 
> Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
> Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted")
> Reported-by: gaoxingwang <gaoxingwang1@huawei.com>
> Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/
> Tested-by: gaoxingwang <gaoxingwang1@huawei.com>
> Signed-off-by: Ido Schimmel <idosch@nvidia.com>
> ---
>  net/ipv4/fib_frontend.c | 3 +++
>  1 file changed, 3 insertions(+)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH net] ipv4: Fix incorrect table ID in IOCTL path

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 15 Mar 2023 14:40:09 +0200 you wrote:
> Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source
> address is deleted") started to take the table ID field in the FIB info
> structure into account when determining if two structures are identical
> or not. This field is initialized using the 'fc_table' field in the
> route configuration structure, which is not set when adding a route via
> IOCTL.
> 
> [...]

Here is the summary with links:
  - [net] ipv4: Fix incorrect table ID in IOCTL path
    https://git.kernel.org/netdev/net/c/8a2618e14f81

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html