From patchwork Tue Jul 9 15:25:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Rose X-Patchwork-Id: 1129896 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="h8COcxQj"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45jmXF5Mdnz9s8m for ; Wed, 10 Jul 2019 01:32:13 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D05813AAB; Tue, 9 Jul 2019 15:31:50 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1258E2BED for ; Tue, 9 Jul 2019 15:25:08 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 71C4D148 for ; Tue, 9 Jul 2019 15:25:07 +0000 (UTC) Received: by mail-pf1-f194.google.com with SMTP id r1so9436502pfq.12 for ; Tue, 09 Jul 2019 08:25:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=U8BqIhreNWrOZ7/bEt+pCn6IqBRf7xAwe1/7tXs41ak=; b=h8COcxQjM10C5SOSFIQxQ+XM5jukuwS2aGgmfNs0isS1wLdd9EhRkVsOfzpM2Gq9rd KsSxzqc9BkfOADDkkWDUVwFTJcKnOERVUqC5Kliy2DYsayzD+98PoyY70yVj3Iov/xkc mV3jpc23StlxtrWoCpXfzbgL93IQXH3eg4p3axZLku2F5cw+uSVenFloBmIK1kRbCIPA 0+Imnb+pqQ29Nw3pjToPXs7nX8OEjykY014LLqmnJByXaAWzAkooxCbr3W8bT1N2psd6 Z8AFIHX6y2m0Nfla1xBWaAhU1Dwr30BN05sXx7Qw/rppqU69QWa4Tpdg27kRWtB5QOS5 HZjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=U8BqIhreNWrOZ7/bEt+pCn6IqBRf7xAwe1/7tXs41ak=; b=luE5mW7cUmqZcJqM9+bpN6DPHJ2ltkCpyj5S/IOPbG37kZ7442cuhCjziwDkWTHsoE vPDm5oF+BSl5S1wN7ZbR+HVDQYCmGN+Px5NVOVc1DriHn9X3x2mULe8tDIsuhdYu/41Z Rpoll67Un73PzVADU48SJFKSGSxtPxktaIZXPwIBwJYZhK9Y38WlOCcj/JvlBkZCbHrT WbeHIWLGLvniN9LhE1ZEh21ipNkJsNZHYBmwBUTGVGoHXvv0PwLTkxeMq+WTfNh8n/u4 JqtOuXEe/bALsJtvNYadBAEUAH4KkR5AzNO0vJr3ZphLTQ8V9BrbibTmWjAKXlGnSdxf JLEw== X-Gm-Message-State: APjAAAUy/D/dyCosS9hNEPXtmzuugSRq4XhPiyLJPBAJSWCrrujyDC2x tEEeUt/bL8owLgnKHGNsIPNsiHIP X-Google-Smtp-Source: APXvYqw+SbwukqRlwgROiy+pziBQtKxvGky9l4NEjQw0RJoYdN9o3adJM5UO1JYVjWWNjbofBlrREg== X-Received: by 2002:a63:6b0a:: with SMTP id g10mr30789114pgc.295.1562685906462; Tue, 09 Jul 2019 08:25:06 -0700 (PDT) Received: from gizo.domain ([97.115.142.179]) by smtp.gmail.com with ESMTPSA id k22sm27447912pfg.77.2019.07.09.08.25.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jul 2019 08:25:05 -0700 (PDT) From: Greg Rose To: dev@openvswitch.org Date: Tue, 9 Jul 2019 08:25:02 -0700 Message-Id: <1562685903-32115-1-git-send-email-gvrose8192@gmail.com> X-Mailer: git-send-email 1.8.3.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 1/2] compat: ip6_gre: fix possible use-after-free in ip6erspan_rcv X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Upstream commit: commit 2a3cabae4536edbcb21d344e7aa8be7a584d2afb Author: Lorenzo Bianconi Date: Sat Apr 6 17:16:53 2019 +0200 net: ip6_gre: fix possible use-after-free in ip6erspan_rcv erspan_v6 tunnels run __iptunnel_pull_header on received skbs to remove erspan header. This can determine a possible use-after-free accessing pkt_md pointer in ip6erspan_rcv since the packet will be 'uncloned' running pskb_expand_head if it is a cloned gso skb (e.g if the packet has been sent though a veth device). Fix it resetting pkt_md pointer after __iptunnel_pull_header Fixes: 1d7e2ed22f8d ("net: erspan: refactor existing erspan code") Signed-off-by: Lorenzo Bianconi Signed-off-by: David S. Miller Fixes: c387d8177f20 ("compat: Add ipv6 GRE and IPV6 Tunneling") Cc: Lorenzo Bianconi Signed-off-by: Greg Rose Acked-by: William Tu --- datapath/linux/compat/ip6_gre.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/datapath/linux/compat/ip6_gre.c b/datapath/linux/compat/ip6_gre.c index a2cc45d..afff817 100644 --- a/datapath/linux/compat/ip6_gre.c +++ b/datapath/linux/compat/ip6_gre.c @@ -538,11 +538,11 @@ static int ip6gre_rcv(struct sk_buff *skb, const struct tnl_ptk_info *tpi) return PACKET_RCVD; } -static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len, - struct tnl_ptk_info *tpi) +static int ip6erspan_rcv(struct sk_buff *skb, + struct tnl_ptk_info *tpi, + int gre_hdr_len) { struct erspan_base_hdr *ershdr; - struct erspan_metadata *pkt_md; const struct ipv6hdr *ipv6h; struct erspan_md2 *md2; struct ip6_tnl *tunnel; @@ -566,17 +566,15 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len, if (unlikely(!pskb_may_pull(skb, len))) return PACKET_REJECT; - ershdr = (struct erspan_base_hdr *)skb->data; - pkt_md = (struct erspan_metadata *)(ershdr + 1); - if (__iptunnel_pull_header(skb, len, htons(ETH_P_TEB), false, false) < 0) return PACKET_REJECT; if (tunnel->parms.collect_md) { + struct erspan_metadata *pkt_md, *md; struct ip_tunnel_info *info; - struct erspan_metadata *md; + unsigned char *gh; __be64 tun_id; __be16 flags; @@ -589,6 +587,14 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len, if (!tun_dst) return PACKET_REJECT; + /* skb can be uncloned in __iptunnel_pull_header, so + * old pkt_md is no longer valid and we need to reset + * it + */ + gh = skb_network_header(skb) + + skb_network_header_len(skb); + pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + + sizeof(*ershdr)); info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; @@ -623,7 +629,7 @@ static int gre_rcv(struct sk_buff *skb) if (unlikely(tpi.proto == htons(ETH_P_ERSPAN) || tpi.proto == htons(ETH_P_ERSPAN2))) { - if (ip6erspan_rcv(skb, hdr_len, &tpi) == PACKET_RCVD) + if (ip6erspan_rcv(skb, &tpi, hdr_len) == PACKET_RCVD) return 0; goto out; } From patchwork Tue Jul 9 15:25:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Rose X-Patchwork-Id: 1129897 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="P8hWazAQ"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45jmY60d1vz9s8m for ; Wed, 10 Jul 2019 01:32:58 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id B61BE3AAF; Tue, 9 Jul 2019 15:31:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D4E382EC9 for ; Tue, 9 Jul 2019 15:25:08 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7765A148 for ; Tue, 9 Jul 2019 15:25:08 +0000 (UTC) Received: by mail-pf1-f193.google.com with SMTP id b13so4860470pfo.1 for ; Tue, 09 Jul 2019 08:25:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Q6A6+6eB4SX4qIdYx2XMFBQQ48qc4633rA4trMxRcwY=; b=P8hWazAQuPrromtFs7lT0Ei26MQXzGyDjUY3mtRM7ZBTqg2Yiu6AqirxbL99V3zFLK 3j+g1kMRVeoLvWcgTcTWpofaEvOKhvbCk0ZsHluaaVHsrgY3rIzB71pb3RDdpjuyp2Ao mPmVFJLpjMlqstXelsd94RfMO+XZMrR6H5jx3md6TtHF8Sdau9eVbgCmiJQVP4T1K6Dq +eWG4y9lDFyMQAmN8/idbB/OahF3boInmJNG2Ww0s1b5jtQTCEfGUg58Uz40QZg7xyP6 F5RYsbFKmbnZg/E5XswJmGrnTuzpIMvFqkb4etTVaDKP2QjiyZNbTW2wNiwF42SDw0x1 JkJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Q6A6+6eB4SX4qIdYx2XMFBQQ48qc4633rA4trMxRcwY=; b=D4Xo7+kFgZZ0D6gtGjmShJbHoHqE+5QxKCJwAaQlvSHt21Kt6/UGYmEozCwUtvZLCA CtpWFtlLLsmug7fMAh4CC9KJODTmtuZ0/noBlcpx26XDMpMbZ89GrzgdKEjISDgXneoT gmhkwCbNHjZbWom0QnaBRVuWTBDkSp2hhrDeDm/efXQNO+eQ9Gtzn5CkzFhzOdzCJPR7 rYSGtimAwOgdA7fUbaPg3QoRoslYThv+KEAuyiChLPXwtS0AEBf2e/w7nZa5HFMRNKo1 B0LzW+6igrXeLwPK/ILPGjiT2dFuekSL1CRCK5MIaeK9fLNeu8qdn2zV+eMOn7h1GFli A8pw== X-Gm-Message-State: APjAAAW2wa7KhJ6tUj3rAA6vISrj13iC+ChGgEuKipw3PfB+3+zsJ5Gn 03Zr00Pq29DGjc3kzegN1gNl5WoJ X-Google-Smtp-Source: APXvYqwZ6SGh+mt4PCZSbA5nfrlBNexdSFDmzp14GJYXxBzQuF9n/97sMPTsdJRQNLt5HJP64I5CcA== X-Received: by 2002:a63:d748:: with SMTP id w8mr30814314pgi.157.1562685907678; Tue, 09 Jul 2019 08:25:07 -0700 (PDT) Received: from gizo.domain ([97.115.142.179]) by smtp.gmail.com with ESMTPSA id k22sm27447912pfg.77.2019.07.09.08.25.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jul 2019 08:25:07 -0700 (PDT) From: Greg Rose To: dev@openvswitch.org Date: Tue, 9 Jul 2019 08:25:03 -0700 Message-Id: <1562685903-32115-2-git-send-email-gvrose8192@gmail.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1562685903-32115-1-git-send-email-gvrose8192@gmail.com> References: <1562685903-32115-1-git-send-email-gvrose8192@gmail.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 2/2] datapath: fix csum updates for MPLS actions X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Upstream commit: commit 0e3183cd2a64843a95b62f8bd4a83605a4cf0615 Author: John Hurley Date: Thu Jun 27 14:37:30 2019 +0100 net: openvswitch: fix csum updates for MPLS actions Skbs may have their checksum value populated by HW. If this is a checksum calculated over the entire packet then the CHECKSUM_COMPLETE field is marked. Changes to the data pointer on the skb throughout the network stack still try to maintain this complete csum value if it is required through functions such as skb_postpush_rcsum. The MPLS actions in Open vSwitch modify a CHECKSUM_COMPLETE value when changes are made to packet data without a push or a pull. This occurs when the ethertype of the MAC header is changed or when MPLS lse fields are modified. The modification is carried out using the csum_partial function to get the csum of a buffer and add it into the larger checksum. The buffer is an inversion of the data to be removed followed by the new data. Because the csum is calculated over 16 bits and these values align with 16 bits, the effect is the removal of the old value from the CHECKSUM_COMPLETE and addition of the new value. However, the csum fed into the function and the outcome of the calculation are also inverted. This would only make sense if it was the new value rather than the old that was inverted in the input buffer. Fix the issue by removing the bit inverts in the csum_partial calculation. The bug was verified and the fix tested by comparing the folded value of the updated CHECKSUM_COMPLETE value with the folded value of a full software checksum calculation (reset skb->csum to 0 and run skb_checksum_complete(skb)). Prior to the fix the outcomes differed but after they produce the same result. Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel") Fixes: bc7cc5999fd3 ("openvswitch: update checksum in {push,pop}_mpls") Signed-off-by: John Hurley Reviewed-by: Jakub Kicinski Reviewed-by: Simon Horman Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Fixes: ccf4378615e9 ("datapath: Add basic MPLS support to kernel") Fixes: b51367aad315 ("datapath: update checksum in {push,pop}_mpls") Cc: John Hurley Signed-off-by: Greg Rose Acked-by: William Tu --- datapath/actions.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/datapath/actions.c b/datapath/actions.c index 5a1d320..a44e804 100644 --- a/datapath/actions.c +++ b/datapath/actions.c @@ -178,8 +178,7 @@ static void update_ethertype(struct sk_buff *skb, struct ethhdr *hdr, if (skb->ip_summed == CHECKSUM_COMPLETE) { __be16 diff[] = { ~(hdr->h_proto), ethertype }; - skb->csum = ~csum_partial((char *)diff, sizeof(diff), - ~skb->csum); + skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum); } hdr->h_proto = ethertype; @@ -273,8 +272,7 @@ static int set_mpls(struct sk_buff *skb, struct sw_flow_key *flow_key, if (skb->ip_summed == CHECKSUM_COMPLETE) { __be32 diff[] = { ~(stack->label_stack_entry), lse }; - skb->csum = ~csum_partial((char *)diff, sizeof(diff), - ~skb->csum); + skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum); } stack->label_stack_entry = lse;