LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH net] xfrm: Fix xfrm sel prefix length validation
@ 2019-05-21 15:29 Anirudh Gupta
  2019-05-22  3:17 ` Herbert Xu
  0 siblings, 1 reply; 9+ messages in thread
From: Anirudh Gupta @ 2019-05-21 15:29 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: Anirudh Gupta, Herbert Xu, David S. Miller, netdev, linux-kernel

Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.

Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5

Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
---
 net/xfrm/xfrm_user.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index eb8d14389601..74a3d1e0ff63 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 
 	err = -EINVAL;
 	switch (p->family) {
+	case AF_INET:
+		break;
+
+	case AF_INET6:
+#if IS_ENABLED(CONFIG_IPV6)
+		break;
+#else
+		err = -EAFNOSUPPORT;
+		goto out;
+#endif
+
+	default:
+		goto out;
+	}
+
+	switch (p->sel.family) {
 	case AF_INET:
 		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
 			goto out;
-- 
2.19.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
  2019-05-21 15:29 [PATCH net] xfrm: Fix xfrm sel prefix length validation Anirudh Gupta
@ 2019-05-22  3:17 ` Herbert Xu
  2019-05-28  7:44   ` Steffen Klassert
  0 siblings, 1 reply; 9+ messages in thread
From: Herbert Xu @ 2019-05-22  3:17 UTC (permalink / raw)
  To: Anirudh Gupta
  Cc: Steffen Klassert, Anirudh Gupta, David S. Miller, netdev, linux-kernel

On Tue, May 21, 2019 at 08:59:47PM +0530, Anirudh Gupta wrote:
> Family of src/dst can be different from family of selector src/dst.
> Use xfrm selector family to validate address prefix length,
> while verifying new sa from userspace.
> 
> Validated patch with this command:
> ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
> reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
> 0x1111016400000000000000000000000044440001 128 \
> sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
> 
> Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
> Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
  2019-05-22  3:17 ` Herbert Xu
@ 2019-05-28  7:44   ` Steffen Klassert
  0 siblings, 0 replies; 9+ messages in thread
From: Steffen Klassert @ 2019-05-28  7:44 UTC (permalink / raw)
  To: Herbert Xu
  Cc: Anirudh Gupta, Anirudh Gupta, David S. Miller, netdev, linux-kernel

On Wed, May 22, 2019 at 11:17:00AM +0800, Herbert Xu wrote:
> On Tue, May 21, 2019 at 08:59:47PM +0530, Anirudh Gupta wrote:
> > Family of src/dst can be different from family of selector src/dst.
> > Use xfrm selector family to validate address prefix length,
> > while verifying new sa from userspace.
> > 
> > Validated patch with this command:
> > ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
> > reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
> > 0x1111016400000000000000000000000044440001 128 \
> > sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
> > 
> > Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
> > Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
> 
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Patch applied, thanks everyone!

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
  2019-05-21  8:22 Anirudh Gupta
@ 2019-05-21 12:22 ` Herbert Xu
  0 siblings, 0 replies; 9+ messages in thread
From: Herbert Xu @ 2019-05-21 12:22 UTC (permalink / raw)
  To: Anirudh Gupta
  Cc: Steffen Klassert, Anirudh Gupta, David S. Miller, netdev, linux-kernel

On Tue, May 21, 2019 at 01:52:47PM +0530, Anirudh Gupta wrote:
> Family of src/dst can be different from family of selector src/dst.
> Use xfrm selector family to validate address prefix length,
> while verifying new sa from userspace.
> 
> Validated patch with this command:
> ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
> reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
> 0x1111016400000000000000000000000044440001 128 \
> sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
> 
> Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
> Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
> ---
>  net/xfrm/xfrm_user.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index eb8d14389601..1d1fe2208ab5 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -150,6 +150,23 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
>  
>  	err = -EINVAL;
>  	switch (p->family) {
> +	case AF_INET:
> +		break;
> +
> +	case AF_INET6:
> +#if IS_ENABLED(CONFIG_IPV6)
> +		break;
> +#else
> +		err = -EAFNOSUPPORT;
> +		goto out;
> +#endif
> +
> +	default:
> +		goto out;
> +	}
> +
> +	err = -EINVAL;

This is not needed because you already set it at the start.

Otherwise this looks good to me.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH net] xfrm: Fix xfrm sel prefix length validation
@ 2019-05-21  8:22 Anirudh Gupta
  2019-05-21 12:22 ` Herbert Xu
  0 siblings, 1 reply; 9+ messages in thread
From: Anirudh Gupta @ 2019-05-21  8:22 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: Anirudh Gupta, Herbert Xu, David S. Miller, netdev, linux-kernel

Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.

Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5

Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
---
 net/xfrm/xfrm_user.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index eb8d14389601..1d1fe2208ab5 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -150,6 +150,23 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 
 	err = -EINVAL;
 	switch (p->family) {
+	case AF_INET:
+		break;
+
+	case AF_INET6:
+#if IS_ENABLED(CONFIG_IPV6)
+		break;
+#else
+		err = -EAFNOSUPPORT;
+		goto out;
+#endif
+
+	default:
+		goto out;
+	}
+
+	err = -EINVAL;
+	switch (p->sel.family) {
 	case AF_INET:
 		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
 			goto out;
-- 
2.19.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
       [not found]   ` <CAN2cbVe3WNj8cR1dLysCP46-LwiHZYMWRpowA+bzNpyZRexSaA@mail.gmail.com>
@ 2019-05-21  2:49     ` Herbert Xu
  0 siblings, 0 replies; 9+ messages in thread
From: Herbert Xu @ 2019-05-21  2:49 UTC (permalink / raw)
  To: Anirudh Gupta
  Cc: Steffen Klassert, Anirudh Gupta, David S. Miller, netdev, linux-kernel

On Mon, May 20, 2019 at 10:30:29PM +0530, Anirudh Gupta wrote:
> Yes, I notice that is the only verification of p->family from userspace.
> However, the underlying conditions added in commit '07bf7908950a',
> validates the selector src/dest prefix len.

You need to check both p->family and p->sel.family.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
  2019-05-20 15:32 ` Herbert Xu
@ 2019-05-20 17:05   ` Anirudh Gupta
       [not found]   ` <CAN2cbVe3WNj8cR1dLysCP46-LwiHZYMWRpowA+bzNpyZRexSaA@mail.gmail.com>
  1 sibling, 0 replies; 9+ messages in thread
From: Anirudh Gupta @ 2019-05-20 17:05 UTC (permalink / raw)
  To: Herbert Xu
  Cc: Steffen Klassert, Anirudh Gupta, David S. Miller, netdev, linux-kernel

Hi Herbert,
Yes, I notice that is the only verification of p->family from userspace.
However, the underlying conditions added in commit '07bf7908950a',
validates the selector src/dest prefix len.

So, In case when adding a new SA entry, the family of Selector src/dst
is IPv6 and state id src/dst family is IPv4.
Then, the IPv6 selector prefix verification falls in IPv4 switch case.
This results in not being able to provide prefix length of more than
32, even for IPv6 src/dst.

The above mentioned behaviour can easily be reproduced using below
command having IPv6 selector src/dst with greater than 32 prefix
length.
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5

Please let me know, if I fail to explain my point or I am overlooking anything.

Thanks & Regards,
Anirudh


On Mon, May 20, 2019 at 9:02 PM Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Mon, May 20, 2019 at 03:01:56PM +0530, Anirudh Gupta wrote:
> >
> > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> > index eb8d14389601..fc2a8c08091b 100644
> > --- a/net/xfrm/xfrm_user.c
> > +++ b/net/xfrm/xfrm_user.c
> > @@ -149,7 +149,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
> >       int err;
> >
> >       err = -EINVAL;
> > -     switch (p->family) {
> > +     switch (p->sel.family) {
> >       case AF_INET:
> >               if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
> >                       goto out;
>
> You just removed the only verification of p->family...
> --
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



-- 
Regards

Anirudh Gupta

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH net] xfrm: Fix xfrm sel prefix length validation
  2019-05-20  9:31 Anirudh Gupta
@ 2019-05-20 15:32 ` Herbert Xu
  2019-05-20 17:05   ` Anirudh Gupta
       [not found]   ` <CAN2cbVe3WNj8cR1dLysCP46-LwiHZYMWRpowA+bzNpyZRexSaA@mail.gmail.com>
  0 siblings, 2 replies; 9+ messages in thread
From: Herbert Xu @ 2019-05-20 15:32 UTC (permalink / raw)
  To: Anirudh Gupta
  Cc: Steffen Klassert, Anirudh Gupta, David S. Miller, netdev, linux-kernel

On Mon, May 20, 2019 at 03:01:56PM +0530, Anirudh Gupta wrote:
>
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index eb8d14389601..fc2a8c08091b 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -149,7 +149,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
>  	int err;
>  
>  	err = -EINVAL;
> -	switch (p->family) {
> +	switch (p->sel.family) {
>  	case AF_INET:
>  		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
>  			goto out;

You just removed the only verification of p->family...
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH net] xfrm: Fix xfrm sel prefix length validation
@ 2019-05-20  9:31 Anirudh Gupta
  2019-05-20 15:32 ` Herbert Xu
  0 siblings, 1 reply; 9+ messages in thread
From: Anirudh Gupta @ 2019-05-20  9:31 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: Anirudh Gupta, Herbert Xu, David S. Miller, netdev, linux-kernel

Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.

Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5

Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
---
 net/xfrm/xfrm_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index eb8d14389601..fc2a8c08091b 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -149,7 +149,7 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
 	int err;
 
 	err = -EINVAL;
-	switch (p->family) {
+	switch (p->sel.family) {
 	case AF_INET:
 		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
 			goto out;
-- 
2.19.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2019-05-28  7:44 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-21 15:29 [PATCH net] xfrm: Fix xfrm sel prefix length validation Anirudh Gupta
2019-05-22  3:17 ` Herbert Xu
2019-05-28  7:44   ` Steffen Klassert
  -- strict thread matches above, loose matches on Subject: below --
2019-05-21  8:22 Anirudh Gupta
2019-05-21 12:22 ` Herbert Xu
2019-05-20  9:31 Anirudh Gupta
2019-05-20 15:32 ` Herbert Xu
2019-05-20 17:05   ` Anirudh Gupta
     [not found]   ` <CAN2cbVe3WNj8cR1dLysCP46-LwiHZYMWRpowA+bzNpyZRexSaA@mail.gmail.com>
2019-05-21  2:49     ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).