From: Sasha Levin Date: Tue, 30 Mar 2021 20:51:41 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.265~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3910ab6aaf7c5ccee816043ca170bbf355b79be5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/ipv6-weaken-the-v4mapped-source-check.patch b/queue-4.14/ipv6-weaken-the-v4mapped-source-check.patch new file mode 100644 index 00000000000..fac7c352d29 --- /dev/null +++ b/queue-4.14/ipv6-weaken-the-v4mapped-source-check.patch @@ -0,0 +1,102 @@ +From 514860e68acb76935a5e2d7b5a415f993045c900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Mar 2021 09:55:15 -0700 +Subject: ipv6: weaken the v4mapped source check + +From: Jakub Kicinski + +[ Upstream commit dcc32f4f183ab8479041b23a1525d48233df1d43 ] + +This reverts commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3. + +Commit 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped +source address") introduced an input check against v4mapped addresses. +Use of such addresses on the wire is indeed questionable and not +allowed on public Internet. As the commit pointed out + + https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 + +lists potential issues. + +Unfortunately there are applications which use v4mapped addresses, +and breaking them is a clear regression. For example v4mapped +addresses (or any semi-valid addresses, really) may be used +for uni-direction event streams or packet export. + +Since the issue which sparked the addition of the check was with +TCP and request_socks in particular push the check down to TCPv6 +and DCCP. This restores the ability to receive UDPv6 packets with +v4mapped address as the source. + +Keep using the IPSTATS_MIB_INHDRERRORS statistic to minimize the +user-visible changes. + +Fixes: 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped source address") +Reported-by: Sunyi Shao +Signed-off-by: Jakub Kicinski +Acked-by: Mat Martineau +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dccp/ipv6.c | 5 +++++ + net/ipv6/ip6_input.c | 10 ---------- + net/ipv6/tcp_ipv6.c | 5 +++++ + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index b438bed6749d..2cd3508a3786 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -319,6 +319,11 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (!ipv6_unicast_destination(skb)) + return 0; /* discard, don't send a reset here */ + ++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) { ++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS); ++ return 0; ++ } ++ + if (dccp_bad_service_code(sk, service)) { + dcb->dccpd_reset_code = DCCP_RESET_CODE_BAD_SERVICE_CODE; + goto drop; +diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c +index e41070fb4fc0..9ee208a348f5 100644 +--- a/net/ipv6/ip6_input.c ++++ b/net/ipv6/ip6_input.c +@@ -173,16 +173,6 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt + if (ipv6_addr_is_multicast(&hdr->saddr)) + goto err; + +- /* While RFC4291 is not explicit about v4mapped addresses +- * in IPv6 headers, it seems clear linux dual-stack +- * model can not deal properly with these. +- * Security models could be fooled by ::ffff:127.0.0.1 for example. +- * +- * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 +- */ +- if (ipv6_addr_v4mapped(&hdr->saddr)) +- goto err; +- + skb->transport_header = skb->network_header + sizeof(*hdr); + IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr); + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index a516490de3db..037958ccc9f5 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1013,6 +1013,11 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (!ipv6_unicast_destination(skb)) + goto drop; + ++ if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) { ++ __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS); ++ return 0; ++ } ++ + return tcp_conn_request(&tcp6_request_sock_ops, + &tcp_request_sock_ipv6_ops, sk, skb); + +-- +2.30.1 + diff --git a/queue-4.14/selinux-vsock-set-sid-for-socket-returned-by-accept.patch b/queue-4.14/selinux-vsock-set-sid-for-socket-returned-by-accept.patch new file mode 100644 index 00000000000..6a7279738cd --- /dev/null +++ b/queue-4.14/selinux-vsock-set-sid-for-socket-returned-by-accept.patch @@ -0,0 +1,41 @@ +From ab19e8416c3b5ab31d557c1b528a74b9ac10bc6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 18:24:43 +0000 +Subject: selinux: vsock: Set SID for socket returned by accept() + +From: David Brazdil + +[ Upstream commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b ] + +For AF_VSOCK, accept() currently returns sockets that are unlabelled. +Other socket families derive the child's SID from the SID of the parent +and the SID of the incoming packet. This is typically done as the +connected socket is placed in the queue that accept() removes from. + +Reuse the existing 'security_sk_clone' hook to copy the SID from the +parent (server) socket to the child. There is no packet SID in this +case. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: David Brazdil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index eafcc75f289a..ae85a5e5648b 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -635,6 +635,7 @@ struct sock *__vsock_create(struct net *net, + vsk->trusted = psk->trusted; + vsk->owner = get_cred(psk->owner); + vsk->connect_timeout = psk->connect_timeout; ++ security_sk_clone(parent, sk); + } else { + vsk->trusted = ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN); + vsk->owner = get_current_cred(); +-- +2.30.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..d63543cac89 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,2 @@ +selinux-vsock-set-sid-for-socket-returned-by-accept.patch +ipv6-weaken-the-v4mapped-source-check.patch