[PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Daniel Borkmann]

While trying out [1][2], I noticed that tc monitor doesn't show the
correct handle on delete:

  $ tc monitor
  qdisc clsact ffff: dev eno1 parent ffff:fff1
  filter dev eno1 ingress protocol all pref 49152 bpf handle 0x2a [...]
  deleted filter dev eno1 ingress protocol all pref 49152 bpf handle 0xf3be0c80

In fact, the shown handle points to a kernel address, in this case
0xffff8807f3be0c80, which points to a struct cls_bpf_prog from bpf
classifier.

The issue is not bpf specific though. tcf_fill_node() sets a fh as
tcm->tcm_handle, which gets overridden on != RTM_DELTFILTER events
only. For RTM_DELTFILTER events, we cannot call the classifier's
dump() handler, since notification is given after delete() handler
returned with success.

At latest when a classifier's dump() handler is called, tm->tcm_handle
is filled with an actual handle. They are currently classifier
internal, meaning a tcf_proto can handle multiple classifiers if
the implementation supports it, so it needs to be queried from the
callback.

For RTM_DELTFILTER, the fh value contains the address of the object
to dump. Commit 4e54c4816bfe ("[NET]: Add tc extensions infrastructure.")
added the logic to assign tcm->tcm_handle = fh. tcm_handle is 32bit
so for 64bit archs, it's stored truncated. Prior to that commit, it
was set to 0. Reintroduce this, so we at least don't leak the kernel
address or parts of it to unprivileged user space listeners.

Since user space cannot make any sense out of this 32bit part,
passing a random number would be just as good. Lets pass 0, since i)
this allows to add the feature at some point for net-next, and ii)
this is also consistent with notifications via tfilter_notify_chain()
when we delete the entire chain.

  [1] http://patchwork.ozlabs.org/patch/682828/
  [2] http://patchwork.ozlabs.org/patch/682829/

Fixes: 4e54c4816bfe ("[NET]: Add tc extensions infrastructure.")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 ( Commit is in -history tree. Jamal, please take a look if you have
   a chance, thanks. )

 net/sched/cls_api.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 2ee29a3..e11bdc5 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -400,12 +400,11 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb,
 	tcm->tcm__pad2 = 0;
 	tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex;
 	tcm->tcm_parent = tp->classid;
+	tcm->tcm_handle = 0;
 	tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
 	if (nla_put_string(skb, TCA_KIND, tp->ops->kind))
 		goto nla_put_failure;
-	tcm->tcm_handle = fh;
 	if (RTM_DELTFILTER != event) {
-		tcm->tcm_handle = 0;
 		if (tp->ops->dump && tp->ops->dump(net, tp, fh, skb, tcm) < 0)
 			goto nla_put_failure;
 	}
-- 
1.9.3

Re: [PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Jamal Hadi Salim]

[-- Attachment #1: Type: text/plain, Size: 3046 bytes --]

On 16-10-18 04:18 PM, Daniel Borkmann wrote:
> While trying out [1][2], I noticed that tc monitor doesn't show the
> correct handle on delete:
>
>   $ tc monitor
>   qdisc clsact ffff: dev eno1 parent ffff:fff1
>   filter dev eno1 ingress protocol all pref 49152 bpf handle 0x2a [...]
>   deleted filter dev eno1 ingress protocol all pref 49152 bpf handle 0xf3be0c80
>
> In fact, the shown handle points to a kernel address, in this case
> 0xffff8807f3be0c80, which points to a struct cls_bpf_prog from bpf
> classifier.
>
> The issue is not bpf specific though. tcf_fill_node() sets a fh as
> tcm->tcm_handle, which gets overridden on != RTM_DELTFILTER events
> only. For RTM_DELTFILTER events, we cannot call the classifier's
> dump() handler, since notification is given after delete() handler
> returned with success.
>
> At latest when a classifier's dump() handler is called, tm->tcm_handle
> is filled with an actual handle. They are currently classifier
> internal, meaning a tcf_proto can handle multiple classifiers if
> the implementation supports it, so it needs to be queried from the
> callback.
>
> For RTM_DELTFILTER, the fh value contains the address of the object
> to dump. Commit 4e54c4816bfe ("[NET]: Add tc extensions infrastructure.")
> added the logic to assign tcm->tcm_handle = fh. tcm_handle is 32bit
> so for 64bit archs, it's stored truncated. Prior to that commit, it
> was set to 0. Reintroduce this, so we at least don't leak the kernel
> address or parts of it to unprivileged user space listeners.
>
> Since user space cannot make any sense out of this 32bit part,
> passing a random number would be just as good. Lets pass 0, since i)
> this allows to add the feature at some point for net-next, and ii)
> this is also consistent with notifications via tfilter_notify_chain()
> when we delete the entire chain.
>
>   [1] http://patchwork.ozlabs.org/patch/682828/
>   [2] http://patchwork.ozlabs.org/patch/682829/
>
> Fixes: 4e54c4816bfe ("[NET]: Add tc extensions infrastructure.")
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> ---
>  ( Commit is in -history tree. Jamal, please take a look if you have
>    a chance, thanks. )
>
>  net/sched/cls_api.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
> index 2ee29a3..e11bdc5 100644
> --- a/net/sched/cls_api.c
> +++ b/net/sched/cls_api.c
> @@ -400,12 +400,11 @@ static int tcf_fill_node(struct net *net, struct sk_buff *skb,
>  	tcm->tcm__pad2 = 0;
>  	tcm->tcm_ifindex = qdisc_dev(tp->q)->ifindex;
>  	tcm->tcm_parent = tp->classid;
> +	tcm->tcm_handle = 0;
>  	tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
>  	if (nla_put_string(skb, TCA_KIND, tp->ops->kind))
>  		goto nla_put_failure;
> -	tcm->tcm_handle = fh;
>  	if (RTM_DELTFILTER != event) {
> -		tcm->tcm_handle = 0;
>  		if (tp->ops->dump && tp->ops->dump(net, tp, fh, skb, tcm) < 0)
>  			goto nla_put_failure;
>  	}
>


I was sitting on this patch I was going to send ;->
Does this resolve it?

cheers,
jamal



[-- Attachment #2: patch-u32-handle-fix --]
[-- Type: text/plain, Size: 517 bytes --]

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 2ee29a3..2b2a797 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -345,7 +345,8 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
 			if (err == 0) {
 				struct tcf_proto *next = rtnl_dereference(tp->next);
 
-				tfilter_notify(net, skb, n, tp, fh,
+				tfilter_notify(net, skb, n, tp,
+					       t->tcm_handle,
 					       RTM_DELTFILTER, false);
 				if (tcf_destroy(tp, false))
 					RCU_INIT_POINTER(*back, next);

Re: [PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Daniel Borkmann]

On 10/18/2016 11:21 PM, Jamal Hadi Salim wrote:
[...]
> I was sitting on this patch I was going to send ;->
> Does this resolve it?

Ahh sure, looks good to me. All other RTM_DELTFILTER events
would be for the entire tcf_proto and 'enforced' destroy, so
zero handle would indicate that then as opposed to a individual
cls delete with non-zero handle. Seems fine.

Re: [PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Jamal Hadi Salim]

On 16-10-18 05:59 PM, Daniel Borkmann wrote:

> Ahh sure, looks good to me. All other RTM_DELTFILTER events
> would be for the entire tcf_proto and 'enforced' destroy, so
> zero handle would indicate that then as opposed to a individual
> cls delete with non-zero handle. Seems fine.

Ok, thanks. I will send an official patch when i get a chance.
I tested earlier on net-next; but maybe this deserves to go
on net.

cheers,
jamal

Re: [PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Daniel Borkmann]

On 10/19/2016 12:18 AM, Jamal Hadi Salim wrote:
> On 16-10-18 05:59 PM, Daniel Borkmann wrote:
[...]
>> Ahh sure, looks good to me. All other RTM_DELTFILTER events
>> would be for the entire tcf_proto and 'enforced' destroy, so
>> zero handle would indicate that then as opposed to a individual
>> cls delete with non-zero handle. Seems fine.
>
> Ok, thanks. I will send an official patch when i get a chance.
> I tested earlier on net-next; but maybe this deserves to go
> on net.

net would be appropriate as mentioned in commit message.

Thanks,
Daniel

Re: [PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Cong Wang]

On Tue, Oct 18, 2016 at 2:21 PM, Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> I was sitting on this patch I was going to send ;->
> Does this resolve it?

Your patch makes more sense to me. Maybe we can remove the
event != RTM_DELTFILTER special case too?

Re: [PATCH net] sched, cls: don't dump kernel addr into tc monitors on delete event

[Jamal Hadi Salim]

On 16-10-18 07:14 PM, Cong Wang wrote:
> On Tue, Oct 18, 2016 at 2:21 PM, Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>> I was sitting on this patch I was going to send ;->
>> Does this resolve it?
>
> Your patch makes more sense to me. Maybe we can remove the
> event != RTM_DELTFILTER special case too?
>

We cant entirely get rid of that. Events other than
deletion require that a dump follows.
Probably what you mean is:
We could remove extra line inside "if (RTM_DELTFILTER != event)"
which does "tcm->tcm_handle = 0;"
It would be more reasonable to actually audit the callers of
tcf_fill_node() and make sure they pass the correct fh.

In any case, can we make that a followup - because this is a bug
fix?
I will send it and you could still comment if you dont find that
sufficient.

cheers,
jamal