From patchwork Tue Sep 12 19:49:27 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khalid Elmously <khalid.elmously@canonical.com>
X-Patchwork-Id: 1833153
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RlZ1D1gqxz1yhm
	for <incoming@patchwork.ozlabs.org>; Wed, 13 Sep 2023 05:49:52 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qg9OK-0007om-Hh; Tue, 12 Sep 2023 19:49:44 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <khalid.elmously@canonical.com>)
 id 1qg9OI-0007nz-67
 for kernel-team@lists.ubuntu.com; Tue, 12 Sep 2023 19:49:42 +0000
Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com
 [209.85.222.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5F5CB3F66C
 for <kernel-team@lists.ubuntu.com>; Tue, 12 Sep 2023 19:49:41 +0000 (UTC)
Received: by mail-qk1-f199.google.com with SMTP id
 af79cd13be357-76dbe1865c1so692156185a.0
 for <kernel-team@lists.ubuntu.com>; Tue, 12 Sep 2023 12:49:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694548180; x=1695152980;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=LLJpNJX8Y2HHZpymY1+E1YZEjrLMKPEEW0R/yGTTev0=;
 b=TtLrABLIQA3JrdxhAE5ngRDhwL0Dfx3rDJo96noHwky1rtJO47f5Zcmgu/qrYxJir+
 3qVD4323dIGBTRw9Ye5C1JhaOgUVv7qme2fmPdjgoOBS5BuGJrZjj8JFAZmOFEiu5smc
 ozVJoq19J5+22pjSokstTNrcM06Jl7p3QSWxD4EcFwO9+QqS2MZIngBVl3/KNuulbol3
 2Dtcq+v4EO/y7rgBGVvZ4nWPDsOj44DFGVJrrJrW5DNT4bZVmMate71Nrbc5a0Wa1LTK
 DHCBFgLWMquuNE5BIoa85KrZR7LyeiuW7p3fn4Hy7cAukVhs/X9uOUz9hfGS9KL/AVRm
 +fqw==
X-Gm-Message-State: AOJu0YzcELHnEjvVP1806SvFfujntYJhc17iipvPM0xwibIZLof0NFnO
 wowaGwmza8zVRK/cAL8KKgcNFXQvEe8Ryu/AzckPhFl56fU9bdAVNyQ34bmWv0h9X4IgD8AB0Vs
 lPBpFBNBnNL+6Q7S8KlyWFf/wGHVvTza0It1Ff85ytng6m/UWdvEv
X-Received: by 2002:a05:620a:4555:b0:76d:aa66:f7b4 with SMTP id
 u21-20020a05620a455500b0076daa66f7b4mr615586qkp.11.1694548180341;
 Tue, 12 Sep 2023 12:49:40 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFxAe1T1G33bNujfj0q92Rl489SEmXXLLzoDGMm9+9vhcnfsmUZT9bCBCShpObAGpGFEjUHJQ==
X-Received: by 2002:a05:620a:4555:b0:76d:aa66:f7b4 with SMTP id
 u21-20020a05620a455500b0076daa66f7b4mr615569qkp.11.1694548179990;
 Tue, 12 Sep 2023 12:49:39 -0700 (PDT)
Received: from k2.fuzzbuzz.org ([38.147.253.170])
 by smtp.gmail.com with ESMTPSA id
 r5-20020a05620a03c500b00767e2668536sm3435534qkm.17.2023.09.12.12.49.39
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Sep 2023 12:49:39 -0700 (PDT)
From: Khalid Elmously <khalid.elmously@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/1] net: Avoid address overwrite in kernel_connect
Date: Tue, 12 Sep 2023 15:49:27 -0400
Message-Id: <20230912194927.704891-2-khalid.elmously@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230912194927.704891-1-khalid.elmously@canonical.com>
References: <20230912194927.704891-1-khalid.elmously@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jordan Rife <jrife@google.com>

BugLink: https://bugs.launchpad.net/bugs/2035163

BPF programs that run on connect can rewrite the connect address. For
the connect system call this isn't a problem, because a copy of the address
is made when it is moved into kernel space. However, kernel_connect
simply passes through the address it is given, so the caller may observe
its address value unexpectedly change.

A practical example where this is problematic is where NFS is combined
with a system such as Cilium which implements BPF-based load balancing.
A common pattern in software-defined storage systems is to have an NFS
mount that connects to a persistent virtual IP which in turn maps to an
ephemeral server IP. This is usually done to achieve high availability:
if your server goes down you can quickly spin up a replacement and remap
the virtual IP to that endpoint. With BPF-based load balancing, mounts
will forget the virtual IP address when the address rewrite occurs
because a pointer to the only copy of that address is passed down the
stack. Server failover then breaks, because clients have forgotten the
virtual IP address. Reconnects fail and mounts remain broken. This patch
was tested by setting up a scenario like this and ensuring that NFS
reconnects worked after applying the patch.

Signed-off-by: Jordan Rife <jrife@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backported from commit 0bdf399342c5acbd817c9098b6c7ed21f1974312)
[ kmously: adjusted for lack of READ_ONCE() ]
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 net/socket.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/socket.c b/net/socket.c
index 5c49074ef7f2ae..7344dcc7cb1ccb 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -3453,7 +3453,12 @@ EXPORT_SYMBOL(kernel_accept);
 int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
 		   int flags)
 {
-	return sock->ops->connect(sock, addr, addrlen, flags);
+	struct sockaddr_storage address;
+
+	memcpy(&address, addr, addrlen);
+
+	return sock->ops->connect(sock, (struct sockaddr *)&address,
+					     addrlen, flags);
 }
 EXPORT_SYMBOL(kernel_connect);