[PATCH 5.16 199/285] bpf: Support dual-stack sockets in bpf_tcp_check_syncookie

From: Greg Kroah-Hartman
Date: Tue Apr 12 2022 - 04:26:06 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.16 163/285] skbuff: fix coalescing for page_pool fragment recycling"
Previous message: Greg Kroah-Hartman: "[PATCH 5.16 217/285] mmc: mmci: stm32: correctly check all elements of sg list"
In reply to: Greg Kroah-Hartman: "[PATCH 5.16 217/285] mmc: mmci: stm32: correctly check all elements of sg list"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.16 163/285] skbuff: fix coalescing for page_pool fragment recycling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maxim Mikityanskiy <maximmi@xxxxxxxxxx>

[ Upstream commit 2e8702cc0cfa1080f29fd64003c00a3e24ac38de ]

bpf_tcp_gen_syncookie looks at the IP version in the IP header and
validates the address family of the socket. It supports IPv4 packets in
AF_INET6 dual-stack sockets.

On the other hand, bpf_tcp_check_syncookie looks only at the address
family of the socket, ignoring the real IP version in headers, and
validates only the packet size. This implementation has some drawbacks:

1. Packets are not validated properly, allowing a BPF program to trick
bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4
socket.

2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end
up receiving a SYNACK with the cookie, but the following ACK gets
dropped.

This patch fixes these issues by changing the checks in
bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP
version from the header is taken into account, and it is validated
properly with address family.

Fixes: 399040847084 ("bpf: add helper to check for a valid SYN cookie")
Signed-off-by: Maxim Mikityanskiy <maximmi@xxxxxxxxxx>
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Reviewed-by: Tariq Toukan <tariqt@xxxxxxxxxx>
Acked-by: Arthur Fabre <afabre@xxxxxxxxxxxxxx>
Link: https://lore.kernel.org/bpf/20220406124113.2795730-1-maximmi@xxxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
net/core/filter.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 4721ed65bcc5..590790c63fa3 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6719,24 +6719,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len
if (!th->ack || th->rst || th->syn)
return -ENOENT;

+ if (unlikely(iph_len < sizeof(struct iphdr)))
+ return -EINVAL;
+
if (tcp_synq_no_recent_overflow(sk))
return -ENOENT;

cookie = ntohl(th->ack_seq) - 1;

- switch (sk->sk_family) {
- case AF_INET:
- if (unlikely(iph_len < sizeof(struct iphdr)))
+ /* Both struct iphdr and struct ipv6hdr have the version field at the
+ * same offset so we can cast to the shorter header (struct iphdr).
+ */
+ switch (((struct iphdr *)iph)->version) {
+ case 4:
+ if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk))
return -EINVAL;

ret = __cookie_v4_check((struct iphdr *)iph, th, cookie);
break;

#if IS_BUILTIN(CONFIG_IPV6)
- case AF_INET6:
+ case 6:
if (unlikely(iph_len < sizeof(struct ipv6hdr)))
return -EINVAL;

+ if (sk->sk_family != AF_INET6)
+ return -EINVAL;
+
ret = __cookie_v6_check((struct ipv6hdr *)iph, th, cookie);
break;
#endif /* CONFIG_IPV6 */
--
2.35.1

Next message: Greg Kroah-Hartman: "[PATCH 5.16 163/285] skbuff: fix coalescing for page_pool fragment recycling"
Previous message: Greg Kroah-Hartman: "[PATCH 5.16 217/285] mmc: mmci: stm32: correctly check all elements of sg list"
In reply to: Greg Kroah-Hartman: "[PATCH 5.16 217/285] mmc: mmci: stm32: correctly check all elements of sg list"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.16 163/285] skbuff: fix coalescing for page_pool fragment recycling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]