linux/net/ipv6/seg6.c

508 lines
10 KiB
C
Raw Permalink Normal View History

/*
* SR-IPv6 implementation
*
* Author:
* David Lebrun <david.lebrun@uclouvain.be>
*
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/in6.h>
#include <linux/slab.h>
#include <linux/rhashtable.h>
#include <net/ipv6.h>
#include <net/protocol.h>
#include <net/seg6.h>
#include <net/genetlink.h>
#include <linux/seg6.h>
#include <linux/seg6_genl.h>
#ifdef CONFIG_IPV6_SEG6_HMAC
#include <net/seg6_hmac.h>
#endif
bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len)
{
int trailing;
unsigned int tlv_offset;
if (srh->type != IPV6_SRCRT_TYPE_4)
return false;
if (((srh->hdrlen + 1) << 3) != len)
return false;
if (srh->segments_left > srh->first_segment)
return false;
tlv_offset = sizeof(*srh) + ((srh->first_segment + 1) << 4);
trailing = len - tlv_offset;
if (trailing < 0)
return false;
while (trailing) {
struct sr6_tlv *tlv;
unsigned int tlv_len;
if (trailing < sizeof(*tlv))
return false;
tlv = (struct sr6_tlv *)((unsigned char *)srh + tlv_offset);
tlv_len = sizeof(*tlv) + tlv->len;
trailing -= tlv_len;
if (trailing < 0)
return false;
tlv_offset += tlv_len;
}
return true;
}
static struct genl_family seg6_genl_family;
static const struct nla_policy seg6_genl_policy[SEG6_ATTR_MAX + 1] = {
[SEG6_ATTR_DST] = { .type = NLA_BINARY,
.len = sizeof(struct in6_addr) },
[SEG6_ATTR_DSTLEN] = { .type = NLA_S32, },
[SEG6_ATTR_HMACKEYID] = { .type = NLA_U32, },
[SEG6_ATTR_SECRET] = { .type = NLA_BINARY, },
[SEG6_ATTR_SECRETLEN] = { .type = NLA_U8, },
[SEG6_ATTR_ALGID] = { .type = NLA_U8, },
[SEG6_ATTR_HMACINFO] = { .type = NLA_NESTED, },
};
#ifdef CONFIG_IPV6_SEG6_HMAC
static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info)
{
struct net *net = genl_info_net(info);
struct seg6_pernet_data *sdata;
struct seg6_hmac_info *hinfo;
u32 hmackeyid;
char *secret;
int err = 0;
u8 algid;
u8 slen;
sdata = seg6_pernet(net);
if (!info->attrs[SEG6_ATTR_HMACKEYID] ||
!info->attrs[SEG6_ATTR_SECRETLEN] ||
!info->attrs[SEG6_ATTR_ALGID])
return -EINVAL;
hmackeyid = nla_get_u32(info->attrs[SEG6_ATTR_HMACKEYID]);
slen = nla_get_u8(info->attrs[SEG6_ATTR_SECRETLEN]);
algid = nla_get_u8(info->attrs[SEG6_ATTR_ALGID]);
if (hmackeyid == 0)
return -EINVAL;
if (slen > SEG6_HMAC_SECRET_LEN)
return -EINVAL;
mutex_lock(&sdata->lock);
hinfo = seg6_hmac_info_lookup(net, hmackeyid);
if (!slen) {
if (!hinfo)
err = -ENOENT;
err = seg6_hmac_info_del(net, hmackeyid);
goto out_unlock;
}
if (!info->attrs[SEG6_ATTR_SECRET]) {
err = -EINVAL;
goto out_unlock;
}
ipv6: sr: fix out-of-bounds read when setting HMAC data. [ Upstream commit 84a53580c5d2138c7361c7c3eea5b31827e63b35 ] The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET. Reported-by: Lucas Leong <wmliang.tw@gmail.com> Tested: verified that EINVAL is correctly returned when secretlen > len(secret) Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure") Signed-off-by: David Lebrun <dlebrun@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-09-02 17:45:06 +08:00
if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) {
err = -EINVAL;
goto out_unlock;
}
if (hinfo) {
err = seg6_hmac_info_del(net, hmackeyid);
if (err)
goto out_unlock;
}
secret = (char *)nla_data(info->attrs[SEG6_ATTR_SECRET]);
hinfo = kzalloc(sizeof(*hinfo), GFP_KERNEL);
if (!hinfo) {
err = -ENOMEM;
goto out_unlock;
}
memcpy(hinfo->secret, secret, slen);
hinfo->slen = slen;
hinfo->alg_id = algid;
hinfo->hmackeyid = hmackeyid;
err = seg6_hmac_info_add(net, hmackeyid, hinfo);
if (err)
kfree(hinfo);
out_unlock:
mutex_unlock(&sdata->lock);
return err;
}
#else
static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info)
{
return -ENOTSUPP;
}
#endif
static int seg6_genl_set_tunsrc(struct sk_buff *skb, struct genl_info *info)
{
struct net *net = genl_info_net(info);
struct in6_addr *val, *t_old, *t_new;
struct seg6_pernet_data *sdata;
sdata = seg6_pernet(net);
if (!info->attrs[SEG6_ATTR_DST])
return -EINVAL;
val = nla_data(info->attrs[SEG6_ATTR_DST]);
t_new = kmemdup(val, sizeof(*val), GFP_KERNEL);
if (!t_new)
return -ENOMEM;
mutex_lock(&sdata->lock);
t_old = sdata->tun_src;
rcu_assign_pointer(sdata->tun_src, t_new);
mutex_unlock(&sdata->lock);
synchronize_net();
kfree(t_old);
return 0;
}
static int seg6_genl_get_tunsrc(struct sk_buff *skb, struct genl_info *info)
{
struct net *net = genl_info_net(info);
struct in6_addr *tun_src;
struct sk_buff *msg;
void *hdr;
msg = genlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg)
return -ENOMEM;
hdr = genlmsg_put(msg, info->snd_portid, info->snd_seq,
&seg6_genl_family, 0, SEG6_CMD_GET_TUNSRC);
if (!hdr)
goto free_msg;
rcu_read_lock();
tun_src = rcu_dereference(seg6_pernet(net)->tun_src);
if (nla_put(msg, SEG6_ATTR_DST, sizeof(struct in6_addr), tun_src))
goto nla_put_failure;
rcu_read_unlock();
genlmsg_end(msg, hdr);
return genlmsg_reply(msg, info);
nla_put_failure:
rcu_read_unlock();
free_msg:
nlmsg_free(msg);
return -ENOMEM;
}
#ifdef CONFIG_IPV6_SEG6_HMAC
static int __seg6_hmac_fill_info(struct seg6_hmac_info *hinfo,
struct sk_buff *msg)
{
if (nla_put_u32(msg, SEG6_ATTR_HMACKEYID, hinfo->hmackeyid) ||
nla_put_u8(msg, SEG6_ATTR_SECRETLEN, hinfo->slen) ||
nla_put(msg, SEG6_ATTR_SECRET, hinfo->slen, hinfo->secret) ||
nla_put_u8(msg, SEG6_ATTR_ALGID, hinfo->alg_id))
return -1;
return 0;
}
static int __seg6_genl_dumphmac_element(struct seg6_hmac_info *hinfo,
u32 portid, u32 seq, u32 flags,
struct sk_buff *skb, u8 cmd)
{
void *hdr;
hdr = genlmsg_put(skb, portid, seq, &seg6_genl_family, flags, cmd);
if (!hdr)
return -ENOMEM;
if (__seg6_hmac_fill_info(hinfo, skb) < 0)
goto nla_put_failure;
genlmsg_end(skb, hdr);
return 0;
nla_put_failure:
genlmsg_cancel(skb, hdr);
return -EMSGSIZE;
}
static int seg6_genl_dumphmac_start(struct netlink_callback *cb)
{
struct net *net = sock_net(cb->skb->sk);
struct seg6_pernet_data *sdata;
struct rhashtable_iter *iter;
sdata = seg6_pernet(net);
iter = (struct rhashtable_iter *)cb->args[0];
if (!iter) {
iter = kmalloc(sizeof(*iter), GFP_KERNEL);
if (!iter)
return -ENOMEM;
cb->args[0] = (long)iter;
}
rhashtable_walk_enter(&sdata->hmac_infos, iter);
return 0;
}
static int seg6_genl_dumphmac_done(struct netlink_callback *cb)
{
struct rhashtable_iter *iter = (struct rhashtable_iter *)cb->args[0];
rhashtable_walk_exit(iter);
kfree(iter);
return 0;
}
static int seg6_genl_dumphmac(struct sk_buff *skb, struct netlink_callback *cb)
{
struct rhashtable_iter *iter = (struct rhashtable_iter *)cb->args[0];
struct seg6_hmac_info *hinfo;
int ret;
rhashtable_walk_start(iter);
for (;;) {
hinfo = rhashtable_walk_next(iter);
if (IS_ERR(hinfo)) {
if (PTR_ERR(hinfo) == -EAGAIN)
continue;
ret = PTR_ERR(hinfo);
goto done;
} else if (!hinfo) {
break;
}
ret = __seg6_genl_dumphmac_element(hinfo,
NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq,
NLM_F_MULTI,
skb, SEG6_CMD_DUMPHMAC);
if (ret)
goto done;
}
ret = skb->len;
done:
rhashtable_walk_stop(iter);
return ret;
}
#else
static int seg6_genl_dumphmac_start(struct netlink_callback *cb)
{
return 0;
}
static int seg6_genl_dumphmac_done(struct netlink_callback *cb)
{
return 0;
}
static int seg6_genl_dumphmac(struct sk_buff *skb, struct netlink_callback *cb)
{
return -ENOTSUPP;
}
#endif
static int __net_init seg6_net_init(struct net *net)
{
struct seg6_pernet_data *sdata;
sdata = kzalloc(sizeof(*sdata), GFP_KERNEL);
if (!sdata)
return -ENOMEM;
mutex_init(&sdata->lock);
sdata->tun_src = kzalloc(sizeof(*sdata->tun_src), GFP_KERNEL);
if (!sdata->tun_src) {
kfree(sdata);
return -ENOMEM;
}
net->ipv6.seg6_data = sdata;
#ifdef CONFIG_IPV6_SEG6_HMAC
seg6_hmac_net_init(net);
#endif
return 0;
}
static void __net_exit seg6_net_exit(struct net *net)
{
struct seg6_pernet_data *sdata = seg6_pernet(net);
#ifdef CONFIG_IPV6_SEG6_HMAC
seg6_hmac_net_exit(net);
#endif
kfree(sdata->tun_src);
kfree(sdata);
}
static struct pernet_operations ip6_segments_ops = {
.init = seg6_net_init,
.exit = seg6_net_exit,
};
static const struct genl_ops seg6_genl_ops[] = {
{
.cmd = SEG6_CMD_SETHMAC,
.doit = seg6_genl_sethmac,
.policy = seg6_genl_policy,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = SEG6_CMD_DUMPHMAC,
.start = seg6_genl_dumphmac_start,
.dumpit = seg6_genl_dumphmac,
.done = seg6_genl_dumphmac_done,
.policy = seg6_genl_policy,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = SEG6_CMD_SET_TUNSRC,
.doit = seg6_genl_set_tunsrc,
.policy = seg6_genl_policy,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = SEG6_CMD_GET_TUNSRC,
.doit = seg6_genl_get_tunsrc,
.policy = seg6_genl_policy,
.flags = GENL_ADMIN_PERM,
},
};
static struct genl_family seg6_genl_family __ro_after_init = {
.hdrsize = 0,
.name = SEG6_GENL_NAME,
.version = SEG6_GENL_VERSION,
.maxattr = SEG6_ATTR_MAX,
.netnsok = true,
.parallel_ops = true,
.ops = seg6_genl_ops,
.n_ops = ARRAY_SIZE(seg6_genl_ops),
.module = THIS_MODULE,
};
int __init seg6_init(void)
{
int err = -ENOMEM;
err = register_pernet_subsys(&ip6_segments_ops);
if (err)
goto out;
err = genl_register_family(&seg6_genl_family);
if (err)
goto out_unregister_pernet;
#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
err = seg6_iptunnel_init();
if (err)
goto out_unregister_genl;
err = seg6_local_init();
if (err) {
seg6_iptunnel_exit();
goto out_unregister_genl;
}
#endif
#ifdef CONFIG_IPV6_SEG6_HMAC
err = seg6_hmac_init();
if (err)
goto out_unregister_iptun;
#endif
pr_info("Segment Routing with IPv6\n");
out:
return err;
#ifdef CONFIG_IPV6_SEG6_HMAC
out_unregister_iptun:
#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
seg6_local_exit();
seg6_iptunnel_exit();
#endif
#endif
#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
out_unregister_genl:
#endif
#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC)
genl_unregister_family(&seg6_genl_family);
#endif
out_unregister_pernet:
unregister_pernet_subsys(&ip6_segments_ops);
goto out;
}
void seg6_exit(void)
{
#ifdef CONFIG_IPV6_SEG6_HMAC
seg6_hmac_exit();
#endif
#ifdef CONFIG_IPV6_SEG6_LWTUNNEL
seg6_local_exit();
seg6_iptunnel_exit();
#endif
genl_unregister_family(&seg6_genl_family);
unregister_pernet_subsys(&ip6_segments_ops);
}