--- /dev/null
+From 514860e68acb76935a5e2d7b5a415f993045c900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Mar 2021 09:55:15 -0700
+Subject: ipv6: weaken the v4mapped source check
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit dcc32f4f183ab8479041b23a1525d48233df1d43 ]
+
+This reverts commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3.
+
+Commit 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped
+source address") introduced an input check against v4mapped addresses.
+Use of such addresses on the wire is indeed questionable and not
+allowed on public Internet. As the commit pointed out
+
+ https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
+
+lists potential issues.
+
+Unfortunately there are applications which use v4mapped addresses,
+and breaking them is a clear regression. For example v4mapped
+addresses (or any semi-valid addresses, really) may be used
+for uni-direction event streams or packet export.
+
+Since the issue which sparked the addition of the check was with
+TCP and request_socks in particular push the check down to TCPv6
+and DCCP. This restores the ability to receive UDPv6 packets with
+v4mapped address as the source.
+
+Keep using the IPSTATS_MIB_INHDRERRORS statistic to minimize the
+user-visible changes.
+
+Fixes: 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped source address")
+Reported-by: Sunyi Shao <sunyishao@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv6.c | 5 +++++
+ net/ipv6/ip6_input.c | 10 ----------
+ net/ipv6/tcp_ipv6.c | 5 +++++
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index b438bed6749d..2cd3508a3786 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -319,6 +319,11 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
+ if (!ipv6_unicast_destination(skb))
+ return 0; /* discard, don't send a reset here */
+
++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) {
++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS);
++ return 0;
++ }
++
+ if (dccp_bad_service_code(sk, service)) {
+ dcb->dccpd_reset_code = DCCP_RESET_CODE_BAD_SERVICE_CODE;
+ goto drop;
+diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
+index e41070fb4fc0..9ee208a348f5 100644
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -173,16 +173,6 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
+ if (ipv6_addr_is_multicast(&hdr->saddr))
+ goto err;
+
+- /* While RFC4291 is not explicit about v4mapped addresses
+- * in IPv6 headers, it seems clear linux dual-stack
+- * model can not deal properly with these.
+- * Security models could be fooled by ::ffff:127.0.0.1 for example.
+- *
+- * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
+- */
+- if (ipv6_addr_v4mapped(&hdr->saddr))
+- goto err;
+-
+ skb->transport_header = skb->network_header + sizeof(*hdr);
+ IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index a516490de3db..037958ccc9f5 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1013,6 +1013,11 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
+ if (!ipv6_unicast_destination(skb))
+ goto drop;
+
++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) {
++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS);
++ return 0;
++ }
++
+ return tcp_conn_request(&tcp6_request_sock_ops,
+ &tcp_request_sock_ipv6_ops, sk, skb);
+
+--
+2.30.1
+
--- /dev/null
+From ab19e8416c3b5ab31d557c1b528a74b9ac10bc6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 18:24:43 +0000
+Subject: selinux: vsock: Set SID for socket returned by accept()
+
+From: David Brazdil <dbrazdil@google.com>
+
+[ Upstream commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b ]
+
+For AF_VSOCK, accept() currently returns sockets that are unlabelled.
+Other socket families derive the child's SID from the SID of the parent
+and the SID of the incoming packet. This is typically done as the
+connected socket is placed in the queue that accept() removes from.
+
+Reuse the existing 'security_sk_clone' hook to copy the SID from the
+parent (server) socket to the child. There is no packet SID in this
+case.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: David Brazdil <dbrazdil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index eafcc75f289a..ae85a5e5648b 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -635,6 +635,7 @@ struct sock *__vsock_create(struct net *net,
+ vsk->trusted = psk->trusted;
+ vsk->owner = get_cred(psk->owner);
+ vsk->connect_timeout = psk->connect_timeout;
++ security_sk_clone(parent, sk);
+ } else {
+ vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN);
+ vsk->owner = get_current_cred();
+--
+2.30.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
