git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Paul Chaignon <paul.chaignon@gmail.com>
	Wed, 7 May 2025 11:31:58 +0000 (13:31 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 4 Jun 2025 12:38:05 +0000 (14:38 +0200)
commit	0995986ffd5e783dcf67cfb03ade850a93d2787d
tree	323c162bb8c1a45adfca90209f0de4f1166854ee	tree
parent	6a39058059f67cc6b9f74d3cf0af1f48d34e2ed6	commit \| diff

xfrm: Sanitize marks before insert

[ Upstream commit 0b91fda3a1f044141e1e615456ff62508c32b202 ]

Prior to this patch, the mark is sanitized (applying the state's mask to
the state's value) only on inserts when checking if a conflicting XFRM
state or policy exists.

We discovered in Cilium that this same sanitization does not occur
in the hot-path __xfrm_state_lookup. In the hot-path, the sk_buff's mark
is simply compared to the state's value:

if ((mark & x->mark.m) != x->mark.v)
continue;

Therefore, users can define unsanitized marks (ex. 0xf42/0xf00) which will
never match any packet.

This commit updates __xfrm_state_insert and xfrm_policy_insert to store
the sanitized marks, thus removing this footgun.

This has the side effect of changing the ip output, as the
returned mark will have the mask applied to it when printed.

Fixes: 3d6acfa7641f ("xfrm: SA lookups with mark")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Louis DeLosSantos <louis.delos.devel@gmail.com>
Co-developed-by: Louis DeLosSantos <louis.delos.devel@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/xfrm/xfrm_policy.c		diff \| blob \| blame \| history
net/xfrm/xfrm_state.c		diff \| blob \| blame \| history