{"id":1839933,"url":"http://patchwork.ozlabs.org/api/covers/1839933/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/cover/20230926200505.2804266-1-jrife@google.com/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20230926200505.2804266-1-jrife@google.com>","list_archive_url":null,"date":"2023-09-26T20:05:02","name":"[net,v6,0/3] Insulate Kernel Space From SOCK_ADDR Hooks","submitter":{"id":87261,"url":"http://patchwork.ozlabs.org/api/people/87261/?format=json","name":"Jordan Rife","email":"jrife@google.com"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/cover/20230926200505.2804266-1-jrife@google.com/mbox/","series":[{"id":374999,"url":"http://patchwork.ozlabs.org/api/series/374999/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=374999","date":"2023-09-26T20:05:02","name":"Insulate Kernel Space From SOCK_ADDR Hooks","version":6,"mbox":"http://patchwork.ozlabs.org/series/374999/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/1839933/comments/","headers":{"Return-Path":"<netfilter-devel-owner@vger.kernel.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256\n header.s=20230601 header.b=atLFwbr8;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2620:137:e000::1:20; helo=out1.vger.email;\n envelope-from=netfilter-devel-owner@vger.kernel.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])\n\tby legolas.ozlabs.org (Postfix) with ESMTP id 4Rw9hW3qpgz1yp0\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 27 Sep 2023 06:05:15 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n        id S231564AbjIZUFR (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);\n        Tue, 26 Sep 2023 16:05:17 -0400","from lindbergh.monkeyblade.net ([23.128.96.19]:39998 \"EHLO\n        lindbergh.monkeyblade.net\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n        with ESMTP id S235803AbjIZUFR (ORCPT\n        <rfc822;netfilter-devel@vger.kernel.org>);\n        Tue, 26 Sep 2023 16:05:17 -0400","from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com\n [IPv6:2607:f8b0:4864:20::b4a])\n        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C39E11D\n        for <netfilter-devel@vger.kernel.org>;\n Tue, 26 Sep 2023 13:05:10 -0700 (PDT)","by mail-yb1-xb4a.google.com with SMTP id\n 3f1490d57ef6-d8943298013so5951350276.2\n        for <netfilter-devel@vger.kernel.org>;\n Tue, 26 Sep 2023 13:05:10 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=google.com; s=20230601; t=1695758709; x=1696363509;\n darn=vger.kernel.org;\n        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject\n         :date:message-id:reply-to;\n        bh=LUHQqKLA03cvxOqIb9LV+319kkd0FdCrPANHPM/IRTw=;\n        b=atLFwbr8blVejomJeCh4lmIxX20DbV2RNAqifweKxAWRvnZExZjZrAw4c31yp0sInI\n         k2Hxy3zQagyqWF2rNcnY093lwRXKqSU94jdl1tb/lHJNSgc6KJZCVmEDBtACX+3RtX5G\n         Y6t8S3aIZJ0R1KvnNPmlwJJ4XmU+XFr25Wy2y3xy6l0SNA1QIT0X5LaFaZRqfOr9Bcbi\n         hAxZPer1LDuotdMLhHuR4h+7lWENJyHmJ5RQ+nCamGDs/YI0eFAAMg3ner6O1UseAx77\n         hwR9F7FEDxieu6VbJniVZ9nA/XvlLgwVHTtpwGBV19bLXmn+bTnETagjXvy+tlbgBUIp\n         RkkA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20230601; t=1695758709; x=1696363509;\n        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state\n         :from:to:cc:subject:date:message-id:reply-to;\n        bh=LUHQqKLA03cvxOqIb9LV+319kkd0FdCrPANHPM/IRTw=;\n        b=pU6/9FYjkt0uLSKOK8iMNCD2w/kZPrDXVW+CO3I86ZzEZRmFl7r/i6g0AVSTmQrRML\n         kuhKZDVw5m8qibK7O1FrDPNsOn9UJloZOzhyu8fhZ4h2hBfcfAd98pDGE2v20ljcVg9S\n         0+M1uLnaEB8qk4FXxIZCy5EwqeNNqWMPcAvg5bGq0NEE6UFFUBbmGyS2PLqfoPcIpttH\n         1Ew/wPUHabS7EBWcf6ZLHi8OqE/PERCsBifLSLaDmVr/tr9cpXzngnrg+Y741pLuJRSb\n         tUs0YkY6J75tLn5TEyjkYO0U2EGocEXVUh4UqTn3LGGn1p4JuhntM7SrhyNigvwWzQak\n         3vkQ==","X-Gm-Message-State":"AOJu0YyCM+PdDlTUVKUeQ2EcsBVsdGZqedjRWO6tIfYw2cTwDi3FVfsP\n        i1f2/f/eWy4Ah9URTOhOEqeq4mwM+Q==","X-Google-Smtp-Source":"\n AGHT+IHiar7acMg7OZkqRteQy8u+g7Q3fC4ZlZH6+0avyWJDsbyt98fkghdeToG/rJkXrrHt5fTNug6bGg==","X-Received":"from jrife.c.googlers.com ([fda3:e722:ac3:cc00:2b:ff92:c0a8:9f])\n (user=jrife job=sendgmr) by 2002:a5b:752:0:b0:d89:4d2c:d846 with SMTP id\n s18-20020a5b0752000000b00d894d2cd846mr52999ybq.12.1695758709189; Tue, 26 Sep\n 2023 13:05:09 -0700 (PDT)","Date":"Tue, 26 Sep 2023 15:05:02 -0500","Mime-Version":"1.0","X-Mailer":"git-send-email 2.42.0.515.g380fc7ccd1-goog","Message-ID":"<20230926200505.2804266-1-jrife@google.com>","Subject":"[PATCH net v6 0/3] Insulate Kernel Space From SOCK_ADDR Hooks","From":"Jordan Rife <jrife@google.com>","To":"davem@davemloft.net, edumazet@google.com, kuba@kernel.org,\n        pabeni@redhat.com, willemdebruijn.kernel@gmail.com,\n        netdev@vger.kernel.org","Cc":"dborkman@kernel.org, horms@verge.net.au, pablo@netfilter.org,\n        kadlec@netfilter.org, fw@strlen.de, santosh.shilimkar@oracle.com,\n        ast@kernel.org, rdna@fb.com, linux-rdma@vger.kernel.org,\n        rds-devel@oss.oracle.com, coreteam@netfilter.org,\n        netfilter-devel@vger.kernel.org, ja@ssi.bg,\n        lvs-devel@vger.kernel.org, kafai@fb.com, daniel@iogearbox.net,\n        daan.j.demeyer@gmail.com, Jordan Rife <jrife@google.com>","Content-Type":"text/plain; charset=\"UTF-8\"","X-Spam-Status":"No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,\n        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL\n        autolearn=ham autolearn_force=no version=3.4.6","X-Spam-Checker-Version":"SpamAssassin 3.4.6 (2021-04-09) on\n        lindbergh.monkeyblade.net","Precedence":"bulk","List-ID":"<netfilter-devel.vger.kernel.org>","X-Mailing-List":"netfilter-devel@vger.kernel.org"},"content":"==OVERVIEW==\n\nThe sock_sendmsg(), kernel_connect(), and kernel_bind() functions\nprovide kernel space equivalents to the sendmsg(), connect(), and bind()\nsystem calls.\n\nWhen used in conjunction with BPF SOCK_ADDR hooks that rewrite the send,\nconnect, or bind address, callers may observe that the address passed to\nthe call is modified. This is a problem not just in theory, but in\npractice, with uninsulated calls to kernel_connect() causing issues with\nbroken NFS and CIFS mounts.\n\ncommit 0bdf399342c5 (\"net: Avoid address overwrite in kernel_connect\")\nensured that callers to kernel_connect() are insulated from such effects\nby passing a copy of the address parameter down the stack, but did not\ngo far enough:\n\n- There remain many instances of direct calls to sock->ops->connect()\n  throughout the kernel which do not benefit from the change to\n  kernel_connect().\n- sock_sendmsg() and kernel_bind() remain uninsulated from address\n  rewrites and there exist many direct calls to sock->ops->bind()\n  throughout the kernel.\n\nThis patch series is the first step to ensuring all socket operations in\nkernel space are safe to use with BPF SOCK_ADDR hooks. It\n\n1) Wraps direct calls to sock->ops->connect() with kernel_connect() to\n   insulate them.\n2) Introduces an address copy to sock_sendmsg() to insulate both calls\n   to kernel_sendmsg() and sock_sendmsg() in kernel space.\n3) Introduces an address copy to kernel_bind() and wraps direct calls to\n   sock->ops->bind() to insulate them.\n\nEarlier versions of this patch series wrapped all calls to\nsock->ops->conect() and sock->ops->bind() throughout the kernel, but\nthis was pared down to instances occuring only in net to avoid merge\nconflicts. A set of patches to various trees will be made as a follow up\nto this series to address this gap.\n\n==CHANGELOG==\n\nV5->V6\n------\n- Preserve original value of msg->msg_namelen in sock_sendmsg() in\n  anticipation of this patch that adds support for SOCK_ADDR hooks to\n  Unix sockets and the ability to modify msg->msg_namelen:\n  - https://lore.kernel.org/bpf/202309231339.L2O0CrMU-lkp@intel.com/T/#m181770af51156bdaa70fd4a4cb013ba11f28e101\n\nV4->V5\n------\n- Removed non-net changes to avoid potential merge conflicts.\n\nV3->V4\n------\n- Removed address length precondition checks from kernel_connect() and\n  kernel_bind().\n- Reordered variable declarations in sock_sendmsg() to maintain reverse\n  xmas tree order.\n\nV2->V3\n------\n- Added \"Fixes\" tags\n- Added address length precondition checks to kernel_connect() and\n  kernel_bind().\n\nV1->V2\n------\n- Split up single patch into patch series.\n- Wrapped all direct calls to sock->ops->connect() with kernel_connect()\n  instead of pushing the address deeper into the stack to avoid\n  duplication of address copy logic and to encourage a consistent\n  interface.\n- Moved address copy up the stack to sock_sendmsg() to avoid duplication\n  of address copy logic.\n- Introduced address copy to kernel_bind() and insulated direct calls to\n  sock->ops->bind().\n\nJordan Rife (3):\n  net: replace calls to sock->ops->connect() with kernel_connect()\n  net: prevent rewrite of msg_name and msg_namelen in sock_sendmsg()\n  net: prevent address rewrite in kernel_bind()\n\n net/netfilter/ipvs/ip_vs_sync.c |  8 ++++----\n net/rds/tcp_connect.c           |  4 ++--\n net/rds/tcp_listen.c            |  2 +-\n net/socket.c                    | 36 ++++++++++++++++++++++++++-------\n 4 files changed, 36 insertions(+), 14 deletions(-)"}