[GIT PULL nf] Second Round of IPVS Fixes for v3.18

[GIT PULL nf] Second Round of IPVS Fixes for v3.18

[Simon Horman]

Hi Pablo,

please consider this fix for v3.18.

It fixes handling of skb->sk which may cause incorrect handling
of connections from a local process.

This problem was introduced in its current form by 8052ba292559f907e
("ipvs: support ipv4 in ipv6 and ipv6 in ipv4 tunnel forwarding") in
v3.18-rc1.

I believe it also exists in a different form in older kernels.
No fix for that is available at this time.


The following changes since commit 2196937e12b1b4ba139806d132647e1651d655df:

  netfilter: ipset: small potential read beyond the end of buffer (2014-11-11 13:46:37 +0100)

are available in the git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git tags/ipvs-fixes2-for-v3.18

for you to fetch changes up to 50656d9df63d69ce399c8be62d4473b039dac36a:

  ipvs: Keep skb->sk when allocating headroom on tunnel xmit (2014-11-12 11:03:04 +0900)

----------------------------------------------------------------
Calvin Owens (1):
      ipvs: Keep skb->sk when allocating headroom on tunnel xmit

 net/netfilter/ipvs/ip_vs_xmit.c | 2 ++
 1 file changed, 2 insertions(+)

[PATCH nf] ipvs: Keep skb->sk when allocating headroom on tunnel xmit

[Simon Horman]

From: Calvin Owens <calvinowens@fb.com>

ip_vs_prepare_tunneled_skb() ignores ->sk when allocating a new
skb, either unconditionally setting ->sk to NULL or allowing
the uninitialized ->sk from a newly allocated skb to leak through
to the caller.

This patch properly copies ->sk and increments its reference count.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_xmit.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 437a366..bd90bf8 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -846,6 +846,8 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
 		new_skb = skb_realloc_headroom(skb, max_headroom);
 		if (!new_skb)
 			goto error;
+		if (skb->sk)
+			skb_set_owner_w(new_skb, skb->sk);
 		consume_skb(skb);
 		skb = new_skb;
 	}
-- 
2.1.1

Re: [GIT PULL nf] Second Round of IPVS Fixes for v3.18

[Pablo Neira Ayuso]

On Wed, Nov 12, 2014 at 11:21:59AM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider this fix for v3.18.
> 
> It fixes handling of skb->sk which may cause incorrect handling
> of connections from a local process.
> 
> This problem was introduced in its current form by 8052ba292559f907e
> ("ipvs: support ipv4 in ipv6 and ipv6 in ipv4 tunnel forwarding") in
> v3.18-rc1.

Pulled, thanks Simon.

> I believe it also exists in a different form in older kernels.
> No fix for that is available at this time.

AFAIK -stable also accepts backports if there's a clear relation
between this original patch in mainstream and the backported version.

Re: [GIT PULL nf] Second Round of IPVS Fixes for v3.18

[Simon Horman]

On Thu, Nov 13, 2014 at 12:38:18PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Nov 12, 2014 at 11:21:59AM +0900, Simon Horman wrote:
> > Hi Pablo,
> > 
> > please consider this fix for v3.18.
> > 
> > It fixes handling of skb->sk which may cause incorrect handling
> > of connections from a local process.
> > 
> > This problem was introduced in its current form by 8052ba292559f907e
> > ("ipvs: support ipv4 in ipv6 and ipv6 in ipv4 tunnel forwarding") in
> > v3.18-rc1.
> 
> Pulled, thanks Simon.
> 
> > I believe it also exists in a different form in older kernels.
> > No fix for that is available at this time.
> 
> AFAIK -stable also accepts backports if there's a clear relation
> between this original patch in mainstream and the backported version.

Thanks. I will see about making one.