bpf: Support dual-stack sockets in bpf_tcp_check_syncookie

stable inclusion from stable-v5.10.111 commit 970a6bb72912f2accae52e811a6618e3d4a5b0ff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5GL1Z Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=970a6bb72912f2accae52e811a6618e3d4a5b0ff -------------------------------- [ Upstream commit 2e8702cc ] bpf_tcp_gen_syncookie looks at the IP version in the IP header and validates the address family of the socket. It supports IPv4 packets in AF_INET6 dual-stack sockets. On the other hand, bpf_tcp_check_syncookie looks only at the address family of the socket, ignoring the real IP version in headers, and validates only the packet size. This implementation has some drawbacks: 1. Packets are not validated properly, allowing a BPF program to trick bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4 socket. 2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end up receiving a SYNACK with the cookie, but the following ACK gets dropped. This patch fixes these issues by changing the checks in bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP version from the header is taken into account, and it is validated properly with address family. Fixes: 39904084 ("bpf: add helper to check for a valid SYN cookie") Signed-off-by: N Maxim Mikityanskiy <maximmi@nvidia.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org> Reviewed-by: N Tariq Toukan <tariqt@nvidia.com> Acked-by: N Arthur Fabre <afabre@cloudflare.com> Link: https://lore.kernel.org/bpf/20220406124113.2795730-1-maximmi@nvidia.comSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>

bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
stable inclusion from stable-v5.10.111 commit 970a6bb72912f2accae52e811a6618e3d4a5b0ff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5GL1Z Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=970a6bb72912f2accae52e811a6618e3d4a5b0ff -------------------------------- [ Upstream commit 2e8702cc ] bpf_tcp_gen_syncookie looks at the IP version in the IP header and validates the address family of the socket. It supports IPv4 packets in AF_INET6 dual-stack sockets. On the other hand, bpf_tcp_check_syncookie looks only at the address family of the socket, ignoring the real IP version in headers, and validates only the packet size. This implementation has some drawbacks: 1. Packets are not validated properly, allowing a BPF program to trick bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4 socket. 2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end up receiving a SYNACK with the cookie, but the following ACK gets dropped. This patch fixes these issues by changing the checks in bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP version from the header is taken into account, and it is validated properly with address family. Fixes: 39904084 ("bpf: add helper to check for a valid SYN cookie") Signed-off-by: N Maxim Mikityanskiy <maximmi@nvidia.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org> Reviewed-by: N Tariq Toukan <tariqt@nvidia.com> Acked-by: N Arthur Fabre <afabre@cloudflare.com> Link: https://lore.kernel.org/bpf/20220406124113.2795730-1-maximmi@nvidia.comSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>
edbaa822 · Maxim Mikityanskiy · Zheng Zengkai · 6ff12e06 · edbaa822
隐藏空白更改
内联并排

Showing with 13 addition and 4 deletion

net/core/filter.c net/core/filter.c +13 -4

未找到文件。
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6492,24 +6492,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len
 	if (!th->ack || th->rst || th->syn)
 		return -ENOENT;

+	if (unlikely(iph_len < sizeof(struct iphdr)))
+		return -EINVAL;
+
 	if (tcp_synq_no_recent_overflow(sk))
 		return -ENOENT;

 	cookie = ntohl(th->ack_seq) - 1;

-	switch (sk->sk_family) {
-	case AF_INET:
-		if (unlikely(iph_len < sizeof(struct iphdr)))
+	/* Both struct iphdr and struct ipv6hdr have the version field at the
+	 * same offset so we can cast to the shorter header (struct iphdr).
+	 */
+	switch (((struct iphdr *)iph)->version) {
+	case 4:
+		if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk))
 			return -EINVAL;

 		ret = __cookie_v4_check((struct iphdr *)iph, th, cookie);
 		break;

 #if IS_BUILTIN(CONFIG_IPV6)
-	case AF_INET6:
+	case 6:
 		if (unlikely(iph_len < sizeof(struct ipv6hdr)))
 			return -EINVAL;

+		if (sk->sk_family != AF_INET6)
+			return -EINVAL;
+
 		ret = __cookie_v6_check((struct ipv6hdr *)iph, th, cookie);
 		break;
 #endif /* CONFIG_IPV6 */