MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-22 00:42:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
v5.15.187
linux-yocto/net/xfrm
History
Paul Chaignon 0995986ffd xfrm: Sanitize marks before insert 
[ Upstream commit 0b91fda3a1 ]

Prior to this patch, the mark is sanitized (applying the state's mask to
the state's value) only on inserts when checking if a conflicting XFRM
state or policy exists.

We discovered in Cilium that this same sanitization does not occur
in the hot-path __xfrm_state_lookup. In the hot-path, the sk_buff's mark
is simply compared to the state's value:

    if ((mark & x->mark.m) != x->mark.v)
        continue;

Therefore, users can define unsanitized marks (ex. 0xf42/0xf00) which will
never match any packet.

This commit updates __xfrm_state_insert and xfrm_policy_insert to store
the sanitized marks, thus removing this footgun.

This has the side effect of changing the ip output, as the
returned mark will have the mask applied to it when printed.

Fixes: 3d6acfa764 ("xfrm: SA lookups with mark")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Louis DeLosSantos <louis.delos.devel@gmail.com>
Co-developed-by: Louis DeLosSantos <louis.delos.devel@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-06-04 14:38:05 +02:00
..
espintcp.c net: Fix data-races around netdev_max_backlog. 2022-08-31 17:16:42 +02:00
Kconfig
Makefile xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c 2023-06-28 10:29:45 +02:00
xfrm_algo.c
xfrm_compat.c net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure 2023-08-26 14:23:32 +02:00
xfrm_device.c xfrm: store and rely on direction to construct offload flags 2024-12-14 19:50:54 +01:00
xfrm_hash.c
xfrm_hash.h
xfrm_inout.h
xfrm_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:50:57 +02:00
xfrm_interface_core.c xfrm: interface: use DEV_STATS_INC() 2023-10-25 11:58:56 +02:00
xfrm_ipcomp.c xfrm: Update ipcomp_scratches with NULL when freed 2022-10-26 12:35:34 +02:00
xfrm_output.c xfrm_output: Force software GSO only in tunnel mode 2025-04-10 14:31:53 +02:00
xfrm_policy.c xfrm: Sanitize marks before insert 2025-06-04 14:38:05 +02:00
xfrm_proc.c
xfrm_replay.c xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO 2025-03-13 12:50:11 +01:00
xfrm_state.c xfrm: Sanitize marks before insert 2025-06-04 14:38:05 +02:00
xfrm_sysctl.c
xfrm_user.c xfrm: store and rely on direction to construct offload flags 2024-12-14 19:50:54 +01:00