[net,1/2] ioam6: fix write to cloned skb in ipv6_hop_ioam()

Message ID	20240216234356.32243-2-justin.iurman@uliege.be (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A884148FE9; Fri, 16 Feb 2024 23:50:12 +0000 (UTC) From: Justin Iurman <justin.iurman@uliege.be> To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, justin.iurman@uliege.be Subject: [PATCH net 1/2] ioam6: fix write to cloned skb in ipv6_hop_ioam() Date: Sat, 17 Feb 2024 00:43:55 +0100 Message-Id: <20240216234356.32243-2-justin.iurman@uliege.be> In-Reply-To: <20240216234356.32243-1-justin.iurman@uliege.be> References: <20240216234356.32243-1-justin.iurman@uliege.be> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	ioam6: fix write to cloned skb's \| expand [net,0/2] ioam6: fix write to cloned skb's [net,1/2] ioam6: fix write to cloned skb in ipv6_hop_ioam() [net,2/2] selftests: ioam6: refactoring to align with the fix

Message ID

20240216234356.32243-2-justin.iurman@uliege.be (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

From: Justin Iurman <justin.iurman@uliege.be>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	shuah@kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	justin.iurman@uliege.be
Subject: [PATCH net 1/2] ioam6: fix write to cloned skb in ipv6_hop_ioam()
Date: Sat, 17 Feb 2024 00:43:55 +0100
Message-Id: <20240216234356.32243-2-justin.iurman@uliege.be>
In-Reply-To: <20240216234356.32243-1-justin.iurman@uliege.be>
References: <20240216234356.32243-1-justin.iurman@uliege.be>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

ioam6: fix write to cloned skb's | expand

Context	Check	Description
netdev/series_format	success	Posting correctly formatted
netdev/tree_selection	success	Clearly marked for net
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 956 this patch: 956
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	warning	1 maintainers not CCed: dsahern@kernel.org
netdev/build_clang	success	Errors and warnings before: 973 this patch: 973
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 973 this patch: 973
netdev/checkpatch	warning	WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")' WARNING: line length of 85 exceeds 80 columns
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2024-02-17--03-00 (tests: 1445)

Context

Check

Description

netdev/series_format

success

Posting correctly formatted

netdev/tree_selection

success

Clearly marked for net

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 956 this patch: 956

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

warning

1 maintainers not CCed: dsahern@kernel.org

netdev/build_clang

success

Errors and warnings before: 973 this patch: 973

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 973 this patch: 973

netdev/checkpatch

warning

WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")' WARNING: line length of 85 exceeds 80 columns

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

success

net-next-2024-02-17--03-00 (tests: 1445)

Commit Message

Justin Iurman Feb. 16, 2024, 11:43 p.m. UTC

ioam6_fill_trace_data() writes inside the skb payload without ensuring
it's writeable (e.g., not cloned). This function is called both from the
input and output path. The output path (ioam6_iptunnel) already does the
check. This commit provides a fix for the input path, inside
ipv6_hop_ioam().

Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace ")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
---
 net/ipv6/exthdrs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Paolo Abeni Feb. 19, 2024, 9:05 a.m. UTC | #1

On Sat, 2024-02-17 at 00:43 +0100, Justin Iurman wrote:
> ioam6_fill_trace_data() writes inside the skb payload without ensuring
> it's writeable (e.g., not cloned). This function is called both from the
> input and output path. The output path (ioam6_iptunnel) already does the
> check. This commit provides a fix for the input path, inside
> ipv6_hop_ioam().
> 
> Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace ")
> Reported-by: Paolo Abeni <pabeni@redhat.com>
> Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
> ---
>  net/ipv6/exthdrs.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
> index 4952ae792450..f68e5faab3aa 100644
> --- a/net/ipv6/exthdrs.c
> +++ b/net/ipv6/exthdrs.c
> @@ -943,6 +943,14 @@ static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
>  		if (!skb_valid_dst(skb))
>  			ip6_route_input(skb);
>  
> +		if (skb_cloned(skb)) {
> +			if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
> +				goto drop;

My personal preference would be for using skb_ensure_writable() here,
with write_len == optoff + hdr->opt_len.

> +
> +			hdr = (struct ioam6_hdr *)(skb_network_header(skb) + optoff);
> +			trace = (struct ioam6_trace_hdr *)((u8 *)hdr + sizeof(*hdr));

Note that this can potentially change the network header ptr and the
caller - ip6_parse_tlv() - has cached such value in 'nh'. You also need
to update ip6_parse_tlv() to reload such pointer.

Side note: a bunch of self-tests are apparently stuck after this
series. I think it's an unrelated problem. I'll try to have a better
look.

Cheers,

Paolo

Justin Iurman Feb. 19, 2024, 11:18 a.m. UTC | #2

On 2/19/24 10:05, Paolo Abeni wrote:
> On Sat, 2024-02-17 at 00:43 +0100, Justin Iurman wrote:
>> ioam6_fill_trace_data() writes inside the skb payload without ensuring
>> it's writeable (e.g., not cloned). This function is called both from the
>> input and output path. The output path (ioam6_iptunnel) already does the
>> check. This commit provides a fix for the input path, inside
>> ipv6_hop_ioam().
>>
>> Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace ")
>> Reported-by: Paolo Abeni <pabeni@redhat.com>
>> Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
>> ---
>>   net/ipv6/exthdrs.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
>> index 4952ae792450..f68e5faab3aa 100644
>> --- a/net/ipv6/exthdrs.c
>> +++ b/net/ipv6/exthdrs.c
>> @@ -943,6 +943,14 @@ static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
>>   		if (!skb_valid_dst(skb))
>>   			ip6_route_input(skb);
>>   
>> +		if (skb_cloned(skb)) {
>> +			if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
>> +				goto drop;
> 
> My personal preference would be for using skb_ensure_writable() here,
> with write_len == optoff + hdr->opt_len.

OK, will do!

>> +
>> +			hdr = (struct ioam6_hdr *)(skb_network_header(skb) + optoff);
>> +			trace = (struct ioam6_trace_hdr *)((u8 *)hdr + sizeof(*hdr));
> 
> Note that this can potentially change the network header ptr and the
> caller - ip6_parse_tlv() - has cached such value in 'nh'. You also need
> to update ip6_parse_tlv() to reload such pointer.

+1, I completely missed it, thanks!

> Side note: a bunch of self-tests are apparently stuck after this
> series. I think it's an unrelated problem. I'll try to have a better
> look.

Can you share the config to observe such behavior? I'll try to 
investigate too.

> Cheers,
> 
> Paolo
>

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 4952ae792450..f68e5faab3aa 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -943,6 +943,14 @@  static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
 		if (!skb_valid_dst(skb))
 			ip6_route_input(skb);
 
+		if (skb_cloned(skb)) {
+			if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
+				goto drop;
+
+			hdr = (struct ioam6_hdr *)(skb_network_header(skb) + optoff);
+			trace = (struct ioam6_trace_hdr *)((u8 *)hdr + sizeof(*hdr));
+		}
+
 		ioam6_fill_trace_data(skb, ns, trace, true);
 		break;
 	default:

[net,1/2] ioam6: fix write to cloned skb in ipv6_hop_ioam()

Checks

Commit Message

Comments

Patch