[thirdparty/kernel/stable-queue.git] / releases / 4.9.169 / netns-provide-pure-entropy-for-net_hash_mix.patch

From foo@baz Mon Apr 15 07:47:06 CEST 2019
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 27 Mar 2019 08:21:30 -0700
Subject: netns: provide pure entropy for net_hash_mix()

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 355b98553789b646ed97ad801a619ff898471b92 ]

net_hash_mix() currently uses kernel address of a struct net,
and is used in many places that could be used to reveal this
address to a patient attacker, thus defeating KASLR, for
the typical case (initial net namespace, &init_net is
not dynamically allocated)

I believe the original implementation tried to avoid spending
too many cycles in this function, but security comes first.

Also provide entropy regardless of CONFIG_NET_NS.

Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/net_namespace.h |    1 +
 include/net/netns/hash.h    |   15 ++-------------
 net/core/net_namespace.c    |    1 +
 3 files changed, 4 insertions(+), 13 deletions(-)

--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -53,6 +53,7 @@ struct net {
 						 */
 	spinlock_t		rules_mod_lock;
 
+	u32			hash_mix;
 	atomic64_t		cookie_gen;
 
 	struct list_head	list;		/* list of network namespaces */
--- a/include/net/netns/hash.h
+++ b/include/net/netns/hash.h
@@ -1,21 +1,10 @@
 #ifndef __NET_NS_HASH_H__
 #define __NET_NS_HASH_H__
 
-#include <asm/cache.h>
-
-struct net;
+#include <net/net_namespace.h>
 
 static inline u32 net_hash_mix(const struct net *net)
 {
-#ifdef CONFIG_NET_NS
-	/*
-	 * shift this right to eliminate bits, that are
-	 * always zeroed
-	 */
-
-	return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT);
-#else
-	return 0;
-#endif
+	return net->hash_mix;
 }
 #endif
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -282,6 +282,7 @@ static __net_init int setup_net(struct n
 
 	atomic_set(&net->count, 1);
 	atomic_set(&net->passive, 1);
+	get_random_bytes(&net->hash_mix, sizeof(u32));
 	net->dev_base_seq = 1;
 	net->user_ns = user_ns;
 	idr_init(&net->netns_ids);
Commit	Line	Data
74106e0a GKH	1	From foo@baz Mon Apr 15 07:47:06 CEST 2019
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Wed, 27 Mar 2019 08:21:30 -0700
	4	Subject: netns: provide pure entropy for net_hash_mix()
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8	[ Upstream commit 355b98553789b646ed97ad801a619ff898471b92 ]
	9
	10	net_hash_mix() currently uses kernel address of a struct net,
	11	and is used in many places that could be used to reveal this
	12	address to a patient attacker, thus defeating KASLR, for
	13	the typical case (initial net namespace, &init_net is
	14	not dynamically allocated)
	15
	16	I believe the original implementation tried to avoid spending
	17	too many cycles in this function, but security comes first.
	18
	19	Also provide entropy regardless of CONFIG_NET_NS.
	20
	21	Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
	22	Signed-off-by: Eric Dumazet <edumazet@google.com>
	23	Reported-by: Amit Klein <aksecurity@gmail.com>
	24	Reported-by: Benny Pinkas <benny@pinkas.net>
	25	Cc: Pavel Emelyanov <xemul@openvz.org>
	26	Signed-off-by: David S. Miller <davem@davemloft.net>
	27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	28	---
	29	include/net/net_namespace.h \| 1 +
	30	include/net/netns/hash.h \| 15 ++-------------
	31	net/core/net_namespace.c \| 1 +
	32	3 files changed, 4 insertions(+), 13 deletions(-)
	33
	34	--- a/include/net/net_namespace.h
	35	+++ b/include/net/net_namespace.h
	36	@@ -53,6 +53,7 @@ struct net {
	37	*/
	38	spinlock_t rules_mod_lock;
	39
	40	+ u32 hash_mix;
	41	atomic64_t cookie_gen;
	42
	43	struct list_head list; /* list of network namespaces */
	44	--- a/include/net/netns/hash.h
	45	+++ b/include/net/netns/hash.h
	46	@@ -1,21 +1,10 @@
	47	#ifndef __NET_NS_HASH_H__
	48	#define __NET_NS_HASH_H__
	49
	50	-#include <asm/cache.h>
	51	-
	52	-struct net;
	53	+#include <net/net_namespace.h>
	54
	55	static inline u32 net_hash_mix(const struct net *net)
	56	{
	57	-#ifdef CONFIG_NET_NS
	58	- /*
	59	- * shift this right to eliminate bits, that are
	60	- * always zeroed
	61	- */
	62	-
	63	- return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT);
	64	-#else
65	- return 0;
66	-#endif
67	+ return net->hash_mix;
68	}
69	#endif
70	--- a/net/core/net_namespace.c
71	+++ b/net/core/net_namespace.c
72	@@ -282,6 +282,7 @@ static __net_init int setup_net(struct n
73
74	atomic_set(&net->count, 1);
75	atomic_set(&net->passive, 1);
76	+ get_random_bytes(&net->hash_mix, sizeof(u32));
77	net->dev_base_seq = 1;
78	net->user_ns = user_ns;
79	idr_init(&net->netns_ids);