xfrm: Check if_id in inbound policy/secpath match

stable inclusion from stable-v4.19.285 commit d3d8a6999c0839b54edfd6d7772a580ea3608f75 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7J5UF CVE: NA -------------------------------- [ Upstream commit 8680407b ] This change ensures that if configured in the policy, the if_id set in the policy and secpath states match during the inbound policy check. Without this, there is potential for ambiguity where entries in the secpath differing by only the if_id could be mismatched. Notably, this is checked in the outbound direction when resolving templates to SAs, but not on the inbound path when matching SAs and policies. Test: Tested against Android kernel unit tests & CTS Signed-off-by: N Benedict Wong <benedictwong@google.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

xfrm: Check if_id in inbound policy/secpath match
stable inclusion from stable-v4.19.285 commit d3d8a6999c0839b54edfd6d7772a580ea3608f75 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7J5UF CVE: NA -------------------------------- [ Upstream commit 8680407b ] This change ensures that if configured in the policy, the if_id set in the policy and secpath states match during the inbound policy check. Without this, there is potential for ambiguity where entries in the secpath differing by only the if_id could be mismatched. Notably, this is checked in the outbound direction when resolving templates to SAs, but not on the inbound path when matching SAs and policies. Test: Tested against Android kernel unit tests & CTS Signed-off-by: N Benedict Wong <benedictwong@google.com> Signed-off-by: N Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
09b57136 · Benedict Wong · Yongqiang Liu · 2886ed97 · 09b57136
隐藏空白更改
内联并排

Showing with 6 addition and 5 deletion

net/xfrm/xfrm_policy.c net/xfrm/xfrm_policy.c +6 -5

未找到文件。
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2246,7 +2246,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)

 static inline int
 xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
-	      unsigned short family)
+	      unsigned short family, u32 if_id)
 {
 	if (xfrm_state_kern(x))
 		return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family);
@@ -2257,7 +2257,8 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
 		(tmpl->allalgs || (tmpl->aalgos & (1<<x->props.aalgo)) ||
 		 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
 		!(x->props.mode != XFRM_MODE_TRANSPORT &&
-		  xfrm_state_addr_cmp(tmpl, x, family));
+		  xfrm_state_addr_cmp(tmpl, x, family)) &&
+		(if_id == 0 || if_id == x->if_id);
 }

 /*
@@ -2269,7 +2270,7 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
 */
 static inline int
 xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
-	       unsigned short family)
+	       unsigned short family, u32 if_id)
 {
 	int idx = start;

@@ -2279,7 +2280,7 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star
 	} else
 		start = -1;
 	for (; idx < sp->len; idx++) {
-		if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
+		if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
 			return ++idx;
 		if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
 			if (start == -1)
@@ -2456,7 +2457,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 		 * are implied between each two transformations.
 		 */
 		for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
-			k = xfrm_policy_ok(tpp[i], sp, k, family);
+			k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
 			if (k < 0) {
 				if (k < -1)
 					/* "-2 - errored_index" returned */