[PATCH stable 5.15] tcp: add a missing nf_reset

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH stable 5.15] tcp: add a missing nf_reset_ct() in 3WHS handling
@ 2022-07-01  1:41 Jakub Kicinski
  2022-07-04 14:45 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Jakub Kicinski @ 2022-07-01  1:41 UTC (permalink / raw)
  To: stable, edumazet
  Cc: netdev, Ilya Maximets, Florian Westphal, Pablo Neira Ayuso,
	Steffen Klassert, Jakub Kicinski

From: Eric Dumazet <edumazet@google.com>

commit 6f0012e35160cd08a53e46e3b3bbf724b92dfe68 upstream.

When the third packet of 3WHS connection establishment
contains payload, it is added into socket receive queue
without the XFRM check and the drop of connection tracking
context.

This means that if the data is left unread in the socket
receive queue, conntrack module can not be unloaded.

As most applications usually reads the incoming data
immediately after accept(), bug has been hiding for
quite a long time.

Commit 68822bdf76f1 ("net: generalize skb freeing
deferral to per-cpu lists") exposed this bug because
even if the application reads this data, the skb
with nfct state could stay in a per-cpu cache for
an arbitrary time, if said cpu no longer process RX softirqs.

Many thanks to Ilya Maximets for reporting this issue,
and for testing various patches:
https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/

Note that I also added a missing xfrm4_policy_check() call,
although this is probably not a big issue, as the SYN
packet should have been dropped earlier.

Fixes: b59c270104f0 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done")
Reported-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Tested-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
Link: https://lore.kernel.org/r/20220623050436.1290307-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
 net/ipv4/tcp_ipv4.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index a189625098ba..5d94822fd506 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2014,7 +2014,8 @@ int tcp_v4_rcv(struct sk_buff *skb)
 		struct sock *nsk;
 
 		sk = req->rsk_listener;
-		if (unlikely(tcp_v4_inbound_md5_hash(sk, skb, dif, sdif))) {
+		if (unlikely(!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb) ||
+			     tcp_v4_inbound_md5_hash(sk, skb, dif, sdif))) {
 			sk_drops_add(sk, skb);
 			reqsk_put(req);
 			goto discard_it;
@@ -2061,6 +2062,7 @@ int tcp_v4_rcv(struct sk_buff *skb)
 			}
 			goto discard_and_relse;
 		}
+		nf_reset_ct(skb);
 		if (nsk == sk) {
 			reqsk_put(req);
 			tcp_v4_restore_cb(skb);
-- 
2.36.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH stable 5.15] tcp: add a missing nf_reset_ct() in 3WHS handling
  2022-07-01  1:41 [PATCH stable 5.15] tcp: add a missing nf_reset_ct() in 3WHS handling Jakub Kicinski
@ 2022-07-04 14:45 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2022-07-04 14:45 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: stable, edumazet, netdev, Ilya Maximets, Florian Westphal,
	Pablo Neira Ayuso, Steffen Klassert

On Thu, Jun 30, 2022 at 06:41:01PM -0700, Jakub Kicinski wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> commit 6f0012e35160cd08a53e46e3b3bbf724b92dfe68 upstream.
> 
> When the third packet of 3WHS connection establishment
> contains payload, it is added into socket receive queue
> without the XFRM check and the drop of connection tracking
> context.
> 
> This means that if the data is left unread in the socket
> receive queue, conntrack module can not be unloaded.
> 
> As most applications usually reads the incoming data
> immediately after accept(), bug has been hiding for
> quite a long time.
> 
> Commit 68822bdf76f1 ("net: generalize skb freeing
> deferral to per-cpu lists") exposed this bug because
> even if the application reads this data, the skb
> with nfct state could stay in a per-cpu cache for
> an arbitrary time, if said cpu no longer process RX softirqs.
> 
> Many thanks to Ilya Maximets for reporting this issue,
> and for testing various patches:
> https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/
> 
> Note that I also added a missing xfrm4_policy_check() call,
> although this is probably not a big issue, as the SYN
> packet should have been dropped earlier.
> 
> Fixes: b59c270104f0 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done")
> Reported-by: Ilya Maximets <i.maximets@ovn.org>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Florian Westphal <fw@strlen.de>
> Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Tested-by: Ilya Maximets <i.maximets@ovn.org>
> Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
> Link: https://lore.kernel.org/r/20220623050436.1290307-1-edumazet@google.com
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
> ---
>  net/ipv4/tcp_ipv4.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-07-04 14:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-01  1:41 [PATCH stable 5.15] tcp: add a missing nf_reset_ct() in 3WHS handling Jakub Kicinski
2022-07-04 14:45 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).