From: David Miller <davem@davemloft.net>
To: hannes@stressinduktion.org
Cc: netdev@vger.kernel.org, jiri@resnulli.us
Subject: Re: [PATCH net-next] ipv6: protect skb->sk accesses from recursive dereference inside the stack
Date: Wed, 01 Apr 2015 14:40:36 -0400 (EDT) [thread overview]
Message-ID: <20150401.144036.1354401396349418295.davem@davemloft.net> (raw)
In-Reply-To: <1427900864-13891-1-git-send-email-hannes@stressinduktion.org>
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Wed, 1 Apr 2015 17:07:44 +0200
> From: "hannes@stressinduktion.org" <hannes@stressinduktion.org>
>
> We should not consult skb->sk for output decisions in xmit recursion
> levels > 0 in the stack. Otherwise local socket settings could influence
> the result of e.g. tunnel encapsulation process.
>
> ipv6 does not conform with this in three places:
>
> 1) ip6_fragment: we do consult ipv6_npinfo for frag_size
>
> 2) sk_mc_loop in ipv6 uses skb->sk and checks if we should
> loop the packet back to the local socket
>
> 3) ip6_skb_dst_mtu could query the settings from the user socket and
> force a wrong MTU
>
> Furthermore:
> In sk_mc_loop we could potentially land in WARN_ON(1) if we use a
> PF_PACKET socket ontop of an IPv6-backed vxlan device.
>
> Reuse xmit_recursion as we are currently only interested in protecting
> tunnel devices.
>
> Cc: Jiri Pirko <jiri@resnulli.us>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> ---
>
> Jiri tried to fix this bug by passing down the tunnel sock pointer.
> Currently there should be no difference in behaviour with this patch.
>
> http://patchwork.ozlabs.org/patch/380404/
> http://patchwork.ozlabs.org/patch/380406/
> http://patchwork.ozlabs.org/patch/380405/
>
> In case we do need more specific fragmentation setup semantics we would
> need to go with Jiri's approach. Currently we don't care about sk_mc_loop
> for kernel sockets, so it is easy to just shut them up. Other options
> are safe as well.
>
> Please review carefully!
As a short term solution I guess this is fine.
I'll let this sit for a day or two so others can review the change.
next prev parent reply other threads:[~2015-04-01 18:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-01 15:07 [PATCH net-next] ipv6: protect skb->sk accesses from recursive dereference inside the stack Hannes Frederic Sowa
2015-04-01 18:40 ` David Miller [this message]
2015-04-01 18:57 ` Hannes Frederic Sowa
2015-04-01 19:26 ` David Miller
2015-04-02 0:06 ` Cong Wang
2015-04-02 0:27 ` Eric Dumazet
2015-04-02 0:35 ` Hannes Frederic Sowa
2015-04-02 0:48 ` Eric Dumazet
2015-04-02 0:56 ` Hannes Frederic Sowa
2015-04-02 1:53 ` Eric Dumazet
2015-04-02 11:34 ` Hannes Frederic Sowa
2015-04-02 16:24 ` David Miller
2015-04-02 2:55 ` Cong Wang
2015-04-02 12:05 ` Hannes Frederic Sowa
2015-04-06 20:14 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150401.144036.1354401396349418295.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=jiri@resnulli.us \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.