From patchwork Tue Sep 12 03:21:31 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khalid Elmously <khalid.elmously@canonical.com>
X-Patchwork-Id: 1832618
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=XUoiiuoH;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Rl85839MWz1yhL
	for <incoming@patchwork.ozlabs.org>; Tue, 12 Sep 2023 13:21:48 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qfty7-000818-S8; Tue, 12 Sep 2023 03:21:39 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <khalid.elmously@canonical.com>)
 id 1qfty5-00080u-Ot
 for kernel-team@lists.ubuntu.com; Tue, 12 Sep 2023 03:21:37 +0000
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com
 [209.85.219.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7BADF3F641
 for <kernel-team@lists.ubuntu.com>; Tue, 12 Sep 2023 03:21:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1694488897;
 bh=LLJpNJX8Y2HHZpymY1+E1YZEjrLMKPEEW0R/yGTTev0=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=XUoiiuoHs2ML+Xq/9lQ6XP+BfUh73R4kgoPpfOuXxLjpws3Z3p6shNFqXTzvWb6n3
 pjd8RzN0qdX4g73CRcF4CKi2sFL3FfPkcOHuS74qn1H5bbrRzP8Vfh5xckscLN7jlg
 mvKjycflHtHVnAdDSkKcwfispXcNdJz7lQYLzqT9CpTjzLe4p7BrMq/mesMAMFd/ru
 SrY7fIW54Bu626phm9YZ8Yr2KjDBa7LZhd2EdJ1mBgj/s6E8BItg2HPDWxj9r//S4f
 XM055hC25NbX0WIvqt1O7iA0O8eUtTmTXhe6eahZoYfqyzptOdJAsxetJiXR36sGgK
 Wrk0JBfcDLlpA==
Received: by mail-qv1-f70.google.com with SMTP id
 6a1803df08f44-64a31d99a07so58072546d6.0
 for <kernel-team@lists.ubuntu.com>; Mon, 11 Sep 2023 20:21:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694488896; x=1695093696;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=LLJpNJX8Y2HHZpymY1+E1YZEjrLMKPEEW0R/yGTTev0=;
 b=ILAWjf2aCfilcbcofzA+eouA0Y0As8FJFghdqV9BA9NvoExgY6gJIePwBySMVlkini
 s+5oKlzf3LxituN9tw34VRQ6jZ3UQ1Aj2S3PvCmFrhM5Yd6AsfTCD4Qs1sHzfjX+Bg0a
 u/91ARd9dN1pw4twe0SSyeLRndf2AqmAQk9kc5SAQlnD4gg1BfyOTNW15+QkAII9eWGa
 7Lk5tEfR4C/vKs11I1oR+8QEc0AtZFStXUMCfmObrZ0rMDmBp9T8DmS1vYSUiYEQFiJ5
 4FNvpKbPJbSanFU5WlCZvUgR5KArLTDZaghtRFMl8RRwE1ErfT+4b6oPGQZ93TOefABh
 cZww==
X-Gm-Message-State: AOJu0Ywj+9qxkrjYw2l12WJ0vPOqCJ2ZvVmufPfU1N1kCgTPo6mV4xYo
 KF7/1q3WnrPZdB3c8XgYzG+ivG3OQ0D+AnTi45nRPut/ldo1zDf2QacBH6rYI9pU6t/mKCtB7NO
 BxInetOKHTThWiLkCx+rKHNGfUyrqzx2xGzF7/BrvpAddTreEUqJh
X-Received: by 2002:a0c:a80a:0:b0:63f:5868:ae45 with SMTP id
 w10-20020a0ca80a000000b0063f5868ae45mr9241782qva.11.1694488896515;
 Mon, 11 Sep 2023 20:21:36 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEKlcCChiJYLGO5QUgn0hAgIl8zPZT1ktGbCqfUckpu3tFIL4SDspiesab2Q0XeViPtPA6ENg==
X-Received: by 2002:a0c:a80a:0:b0:63f:5868:ae45 with SMTP id
 w10-20020a0ca80a000000b0063f5868ae45mr9241776qva.11.1694488896201;
 Mon, 11 Sep 2023 20:21:36 -0700 (PDT)
Received: from k2.fuzzbuzz.org ([38.147.253.170])
 by smtp.gmail.com with ESMTPSA id
 a15-20020a0cca8f000000b006490a9946b6sm3382116qvk.119.2023.09.11.20.21.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 11 Sep 2023 20:21:35 -0700 (PDT)
From: Khalid Elmously <khalid.elmously@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/1] net: Avoid address overwrite in kernel_connect
Date: Mon, 11 Sep 2023 23:21:31 -0400
Message-Id: <20230912032131.678266-2-khalid.elmously@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230912032131.678266-1-khalid.elmously@canonical.com>
References: <20230912032131.678266-1-khalid.elmously@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jordan Rife <jrife@google.com>

BugLink: https://bugs.launchpad.net/bugs/2035163

BPF programs that run on connect can rewrite the connect address. For
the connect system call this isn't a problem, because a copy of the address
is made when it is moved into kernel space. However, kernel_connect
simply passes through the address it is given, so the caller may observe
its address value unexpectedly change.

A practical example where this is problematic is where NFS is combined
with a system such as Cilium which implements BPF-based load balancing.
A common pattern in software-defined storage systems is to have an NFS
mount that connects to a persistent virtual IP which in turn maps to an
ephemeral server IP. This is usually done to achieve high availability:
if your server goes down you can quickly spin up a replacement and remap
the virtual IP to that endpoint. With BPF-based load balancing, mounts
will forget the virtual IP address when the address rewrite occurs
because a pointer to the only copy of that address is passed down the
stack. Server failover then breaks, because clients have forgotten the
virtual IP address. Reconnects fail and mounts remain broken. This patch
was tested by setting up a scenario like this and ensuring that NFS
reconnects worked after applying the patch.

Signed-off-by: Jordan Rife <jrife@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backported from commit 0bdf399342c5acbd817c9098b6c7ed21f1974312)
[ kmously: adjusted for lack of READ_ONCE() ]
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/socket.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/socket.c b/net/socket.c
index 5c49074ef7f2ae..7344dcc7cb1ccb 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -3453,7 +3453,12 @@ EXPORT_SYMBOL(kernel_accept);
 int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
 		   int flags)
 {
-	return sock->ops->connect(sock, addr, addrlen, flags);
+	struct sockaddr_storage address;
+
+	memcpy(&address, addr, addrlen);
+
+	return sock->ops->connect(sock, (struct sockaddr *)&address,
+					     addrlen, flags);
 }
 EXPORT_SYMBOL(kernel_connect);