[PATCH 0/1][SRU][E] IPv6 DoS (LP: #1847478)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][SRU][E] IPv6 DoS (LP: #1847478)

Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1847478

[Impact]

An unprivileged local attacker could cause a denial of service, or
possibly execute arbitrary code due to an ipv6 regression.

[Test Case]

An unpatched system will crash with the following command:

$ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set
dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table
main suppress_prefixlength 0 && ping -f 1234::1'

[Regression Potential]

Low. The change could theoretically introduce a memory leak but that
would still be an improvement over immediate loss of system
availability.


Clean cherry pick. Build logs are clean. I've successfully tested with
the one-liner in the [Test Case]. I did not run the newly added net
selftest since it is the same as the one-liner.

Tyler

Jason A. Donenfeld (1):
  ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule

 net/ipv6/fib6_rules.c                    |  3 ++-
 tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule

Tyler Hicks-2
From: "Jason A. Donenfeld" <[hidden email]>

BugLink: https://launchpad.net/bugs/1847478

Commit 7d9e5f422150 removed references from certain dsts, but accounting
for this never translated down into the fib6 suppression code. This bug
was triggered by WireGuard users who use wg-quick(8), which uses the
"suppress-prefix" directive to ip-rule(8) for routing all of their
internet traffic without routing loops. The test case added here
causes the reference underflow by causing packets to evaluate a suppress
rule.

Fixes: 7d9e5f422150 ("ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF")
Signed-off-by: Jason A. Donenfeld <[hidden email]>
Acked-by: Wei Wang <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit ca7a03c4175366a92cee0ccc4fec0038c3266e26)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 net/ipv6/fib6_rules.c                    |  3 ++-
 tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index d22b6c140f23..f9e8fe3ff0c5 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -287,7 +287,8 @@ static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg
  return false;
 
 suppress_route:
- ip6_rt_put(rt);
+ if (!(arg->flags & FIB_LOOKUP_NOREF))
+ ip6_rt_put(rt);
  return true;
 }
 
diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
index 5123cf1af90b..2f886a7f51d5 100755
--- a/tools/testing/selftests/net/fib_tests.sh
+++ b/tools/testing/selftests/net/fib_tests.sh
@@ -9,7 +9,7 @@ ret=0
 ksft_skip=4
 
 # all tests in this script. Can be overridden with -t option
-TESTS="unregister down carrier nexthop ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw rp_filter"
+TESTS="unregister down carrier nexthop suppress ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw rp_filter"
 
 VERBOSE=0
 PAUSE_ON_FAIL=no
@@ -615,6 +615,20 @@ fib_nexthop_test()
  cleanup
 }
 
+fib_suppress_test()
+{
+ $IP link add dummy1 type dummy
+ $IP link set dummy1 up
+ $IP -6 route add default dev dummy1
+ $IP -6 rule add table main suppress_prefixlength 0
+ ping -f -c 1000 -W 1 1234::1 || true
+ $IP -6 rule del table main suppress_prefixlength 0
+ $IP link del dummy1
+
+ # If we got here without crashing, we're good.
+ return 0
+}
+
 ################################################################################
 # Tests on route add and replace
 
@@ -1592,6 +1606,7 @@ do
  fib_carrier_test|carrier) fib_carrier_test;;
  fib_rp_filter_test|rp_filter) fib_rp_filter_test;;
  fib_nexthop_test|nexthop) fib_nexthop_test;;
+ fib_suppress_test|suppress) fib_suppress_test;;
  ipv6_route_test|ipv6_rt) ipv6_route_test;;
  ipv4_route_test|ipv4_rt) ipv4_route_test;;
  ipv6_addr_metric) ipv6_addr_metric_test;;
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][E] IPv6 DoS (LP: #1847478)

Thadeu Lima de Souza Cascardo-3
In reply to this post by Tyler Hicks-2
Acked-by: Thadeu Lima de Souza Cascardo <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1][SRU][E] IPv6 DoS (LP: #1847478)

Sultan Alsawaf
In reply to this post by Tyler Hicks-2
Acked-by: Sultan Alsawaf <[hidden email]>

On Wed, Oct 9, 2019, 11:00 AM Tyler Hicks <[hidden email]> wrote:
BugLink: https://launchpad.net/bugs/1847478

[Impact]

An unprivileged local attacker could cause a denial of service, or
possibly execute arbitrary code due to an ipv6 regression.

[Test Case]

An unpatched system will crash with the following command:

$ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set
dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table
main suppress_prefixlength 0 && ping -f 1234::1'

[Regression Potential]

Low. The change could theoretically introduce a memory leak but that
would still be an improvement over immediate loss of system
availability.


Clean cherry pick. Build logs are clean. I've successfully tested with
the one-liner in the [Test Case]. I did not run the newly added net
selftest since it is the same as the one-liner.

Tyler

Jason A. Donenfeld (1):
  ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule

 net/ipv6/fib6_rules.c                    |  3 ++-
 tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][SRU][E] IPv6 DoS (LP: #1847478)

Kleber Souza
In reply to this post by Tyler Hicks-2
On 09.10.19 19:59, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1847478
>
> [Impact]
>
> An unprivileged local attacker could cause a denial of service, or
> possibly execute arbitrary code due to an ipv6 regression.
>
> [Test Case]
>
> An unpatched system will crash with the following command:
>
> $ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set
> dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table
> main suppress_prefixlength 0 && ping -f 1234::1'
>
> [Regression Potential]
>
> Low. The change could theoretically introduce a memory leak but that
> would still be an improvement over immediate loss of system
> availability.
>
>
> Clean cherry pick. Build logs are clean. I've successfully tested with
> the one-liner in the [Test Case]. I did not run the newly added net
> selftest since it is the same as the one-liner.
>
> Tyler
>
> Jason A. Donenfeld (1):
>   ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule
>
>  net/ipv6/fib6_rules.c                    |  3 ++-
>  tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++-
>  2 files changed, 18 insertions(+), 2 deletions(-)
>

Applied to eoan/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team