From 98834a4c3f81c6e4f20329ff266f9bd85731d114 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 23 Apr 2024 12:08:45 +0200 Subject: [PATCH] kernel: backport flow offload pppoe fix Signed-off-by: Felix Fietkau --- ...lter-flowtable-validate-pppoe-header.patch | 85 ++++++++++++++++++ ...lter-flowtable-incorrect-pppoe-tuple.patch | 24 +++++ ...lter-flowtable-validate-pppoe-header.patch | 87 +++++++++++++++++++ ...lter-flowtable-incorrect-pppoe-tuple.patch | 24 +++++ ...lter-flowtable-validate-pppoe-header.patch | 87 +++++++++++++++++++ ...lter-flowtable-incorrect-pppoe-tuple.patch | 24 +++++ ...-netfilter-add-xt_FLOWOFFLOAD-target.patch | 5 +- ...-netfilter-add-xt_FLOWOFFLOAD-target.patch | 5 +- ...-netfilter-add-xt_FLOWOFFLOAD-target.patch | 5 +- 9 files changed, 340 insertions(+), 6 deletions(-) create mode 100644 target/linux/generic/backport-5.15/741-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch create mode 100644 target/linux/generic/backport-5.15/741-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch create mode 100644 target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch create mode 100644 target/linux/generic/backport-6.1/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch create mode 100644 target/linux/generic/backport-6.6/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch create mode 100644 target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch diff --git a/target/linux/generic/backport-5.15/741-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch b/target/linux/generic/backport-5.15/741-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch new file mode 100644 index 000000000000..02407da8a84a --- /dev/null +++ b/target/linux/generic/backport-5.15/741-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch @@ -0,0 +1,85 @@ +From: Pablo Neira Ayuso +Date: Thu, 11 Apr 2024 13:28:59 +0200 +Subject: [PATCH] netfilter: flowtable: validate pppoe header + +Ensure there is sufficient room to access the protocol field of the +PPPoe header. Validate it once before the flowtable lookup, then use a +helper function to access protocol field. + +Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -318,7 +318,7 @@ int nf_flow_rule_route_ipv6(struct net * + int nf_flow_table_offload_init(void); + void nf_flow_table_offload_exit(void); + +-static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) ++static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) + { + __be16 proto; + +@@ -334,4 +334,14 @@ static inline __be16 nf_flow_pppoe_proto + return 0; + } + ++static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) ++{ ++ if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) ++ return false; ++ ++ *inner_proto = __nf_flow_pppoe_proto(skb); ++ ++ return true; ++} ++ + #endif /* _NF_FLOW_TABLE_H */ +--- a/net/netfilter/nf_flow_table_inet.c ++++ b/net/netfilter/nf_flow_table_inet.c +@@ -21,7 +21,8 @@ nf_flow_offload_inet_hook(void *priv, st + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): +- proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -246,10 +246,11 @@ static unsigned int nf_flow_xmit_xfrm(st + return NF_STOLEN; + } + +-static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, ++static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, + u32 *offset) + { + struct vlan_ethhdr *veth; ++ __be16 inner_proto; + + switch (skb->protocol) { + case htons(ETH_P_8021Q): +@@ -260,7 +261,8 @@ static bool nf_flow_skb_encap_protocol(c + } + break; + case htons(ETH_P_PPP_SES): +- if (nf_flow_pppoe_proto(skb) == proto) { ++ if (nf_flow_pppoe_proto(skb, &inner_proto) && ++ inner_proto == proto) { + *offset += PPPOE_SES_HLEN; + return true; + } +@@ -289,7 +291,7 @@ static void nf_flow_encap_pop(struct sk_ + skb_reset_network_header(skb); + break; + case htons(ETH_P_PPP_SES): +- skb->protocol = nf_flow_pppoe_proto(skb); ++ skb->protocol = __nf_flow_pppoe_proto(skb); + skb_pull(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + break; diff --git a/target/linux/generic/backport-5.15/741-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch b/target/linux/generic/backport-5.15/741-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch new file mode 100644 index 000000000000..3b822b169d24 --- /dev/null +++ b/target/linux/generic/backport-5.15/741-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch @@ -0,0 +1,24 @@ +From: Pablo Neira Ayuso +Date: Thu, 11 Apr 2024 13:29:00 +0200 +Subject: [PATCH] netfilter: flowtable: incorrect pppoe tuple + +pppoe traffic reaching ingress path does not match the flowtable entry +because the pppoe header is expected to be at the network header offset. +This bug causes a mismatch in the flow table lookup, so pppoe packets +enter the classical forwarding path. + +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -156,7 +156,7 @@ static void nf_flow_tuple_encap(struct s + tuple->encap[i].proto = skb->protocol; + break; + case htons(ETH_P_PPP_SES): +- phdr = (struct pppoe_hdr *)skb_mac_header(skb); ++ phdr = (struct pppoe_hdr *)skb_network_header(skb); + tuple->encap[i].id = ntohs(phdr->sid); + tuple->encap[i].proto = skb->protocol; + break; diff --git a/target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch b/target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch new file mode 100644 index 000000000000..29f211e8a502 --- /dev/null +++ b/target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch @@ -0,0 +1,87 @@ +From: Pablo Neira Ayuso +Date: Thu, 11 Apr 2024 13:28:59 +0200 +Subject: [PATCH] netfilter: flowtable: validate pppoe header + +Ensure there is sufficient room to access the protocol field of the +PPPoe header. Validate it once before the flowtable lookup, then use a +helper function to access protocol field. + +Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -335,7 +335,7 @@ int nf_flow_rule_route_ipv6(struct net * + int nf_flow_table_offload_init(void); + void nf_flow_table_offload_exit(void); + +-static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) ++static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) + { + __be16 proto; + +@@ -351,6 +351,16 @@ static inline __be16 nf_flow_pppoe_proto + return 0; + } + ++static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) ++{ ++ if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) ++ return false; ++ ++ *inner_proto = __nf_flow_pppoe_proto(skb); ++ ++ return true; ++} ++ + #define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count) + #define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count) + #define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \ +--- a/net/netfilter/nf_flow_table_inet.c ++++ b/net/netfilter/nf_flow_table_inet.c +@@ -21,7 +21,8 @@ nf_flow_offload_inet_hook(void *priv, st + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): +- proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -267,10 +267,11 @@ static unsigned int nf_flow_xmit_xfrm(st + return NF_STOLEN; + } + +-static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, ++static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, + u32 *offset) + { + struct vlan_ethhdr *veth; ++ __be16 inner_proto; + + switch (skb->protocol) { + case htons(ETH_P_8021Q): +@@ -281,7 +282,8 @@ static bool nf_flow_skb_encap_protocol(c + } + break; + case htons(ETH_P_PPP_SES): +- if (nf_flow_pppoe_proto(skb) == proto) { ++ if (nf_flow_pppoe_proto(skb, &inner_proto) && ++ inner_proto == proto) { + *offset += PPPOE_SES_HLEN; + return true; + } +@@ -310,7 +312,7 @@ static void nf_flow_encap_pop(struct sk_ + skb_reset_network_header(skb); + break; + case htons(ETH_P_PPP_SES): +- skb->protocol = nf_flow_pppoe_proto(skb); ++ skb->protocol = __nf_flow_pppoe_proto(skb); + skb_pull(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + break; diff --git a/target/linux/generic/backport-6.1/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch b/target/linux/generic/backport-6.1/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch new file mode 100644 index 000000000000..3b822b169d24 --- /dev/null +++ b/target/linux/generic/backport-6.1/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch @@ -0,0 +1,24 @@ +From: Pablo Neira Ayuso +Date: Thu, 11 Apr 2024 13:29:00 +0200 +Subject: [PATCH] netfilter: flowtable: incorrect pppoe tuple + +pppoe traffic reaching ingress path does not match the flowtable entry +because the pppoe header is expected to be at the network header offset. +This bug causes a mismatch in the flow table lookup, so pppoe packets +enter the classical forwarding path. + +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -156,7 +156,7 @@ static void nf_flow_tuple_encap(struct s + tuple->encap[i].proto = skb->protocol; + break; + case htons(ETH_P_PPP_SES): +- phdr = (struct pppoe_hdr *)skb_mac_header(skb); ++ phdr = (struct pppoe_hdr *)skb_network_header(skb); + tuple->encap[i].id = ntohs(phdr->sid); + tuple->encap[i].proto = skb->protocol; + break; diff --git a/target/linux/generic/backport-6.6/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch b/target/linux/generic/backport-6.6/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch new file mode 100644 index 000000000000..8a8773b716c7 --- /dev/null +++ b/target/linux/generic/backport-6.6/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch @@ -0,0 +1,87 @@ +From: Pablo Neira Ayuso +Date: Thu, 11 Apr 2024 13:28:59 +0200 +Subject: [PATCH] netfilter: flowtable: validate pppoe header + +Ensure there is sufficient room to access the protocol field of the +PPPoe header. Validate it once before the flowtable lookup, then use a +helper function to access protocol field. + +Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -335,7 +335,7 @@ int nf_flow_rule_route_ipv6(struct net * + int nf_flow_table_offload_init(void); + void nf_flow_table_offload_exit(void); + +-static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) ++static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) + { + __be16 proto; + +@@ -351,6 +351,16 @@ static inline __be16 nf_flow_pppoe_proto + return 0; + } + ++static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) ++{ ++ if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) ++ return false; ++ ++ *inner_proto = __nf_flow_pppoe_proto(skb); ++ ++ return true; ++} ++ + #define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count) + #define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count) + #define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \ +--- a/net/netfilter/nf_flow_table_inet.c ++++ b/net/netfilter/nf_flow_table_inet.c +@@ -21,7 +21,8 @@ nf_flow_offload_inet_hook(void *priv, st + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): +- proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -273,10 +273,11 @@ static unsigned int nf_flow_xmit_xfrm(st + return NF_STOLEN; + } + +-static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, ++static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, + u32 *offset) + { + struct vlan_ethhdr *veth; ++ __be16 inner_proto; + + switch (skb->protocol) { + case htons(ETH_P_8021Q): +@@ -287,7 +288,8 @@ static bool nf_flow_skb_encap_protocol(c + } + break; + case htons(ETH_P_PPP_SES): +- if (nf_flow_pppoe_proto(skb) == proto) { ++ if (nf_flow_pppoe_proto(skb, &inner_proto) && ++ inner_proto == proto) { + *offset += PPPOE_SES_HLEN; + return true; + } +@@ -316,7 +318,7 @@ static void nf_flow_encap_pop(struct sk_ + skb_reset_network_header(skb); + break; + case htons(ETH_P_PPP_SES): +- skb->protocol = nf_flow_pppoe_proto(skb); ++ skb->protocol = __nf_flow_pppoe_proto(skb); + skb_pull(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + break; diff --git a/target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch b/target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch new file mode 100644 index 000000000000..20ac222de1da --- /dev/null +++ b/target/linux/generic/backport-6.6/740-v6.9-02-netfilter-flowtable-incorrect-pppoe-tuple.patch @@ -0,0 +1,24 @@ +From: Pablo Neira Ayuso +Date: Thu, 11 Apr 2024 13:29:00 +0200 +Subject: [PATCH] netfilter: flowtable: incorrect pppoe tuple + +pppoe traffic reaching ingress path does not match the flowtable entry +because the pppoe header is expected to be at the network header offset. +This bug causes a mismatch in the flow table lookup, so pppoe packets +enter the classical forwarding path. + +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -157,7 +157,7 @@ static void nf_flow_tuple_encap(struct s + tuple->encap[i].proto = skb->protocol; + break; + case htons(ETH_P_PPP_SES): +- phdr = (struct pppoe_hdr *)skb_mac_header(skb); ++ phdr = (struct pppoe_hdr *)skb_network_header(skb); + tuple->encap[i].id = ntohs(phdr->sid); + tuple->encap[i].proto = skb->protocol; + break; diff --git a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch index ec887539d544..49f339bddcab 100644 --- a/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch +++ b/target/linux/generic/hack-5.15/650-netfilter-add-xt_FLOWOFFLOAD-target.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,701 @@ +@@ -0,0 +1,702 @@ +/* + * Copyright (C) 2018-2021 Felix Fietkau + * @@ -163,7 +163,8 @@ Signed-off-by: Felix Fietkau + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): -+ proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; diff --git a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch index 6fdfc7920700..0822b1a2ddeb 100644 --- a/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch +++ b/target/linux/generic/hack-6.1/650-netfilter-add-xt_FLOWOFFLOAD-target.patch @@ -44,7 +44,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,702 @@ +@@ -0,0 +1,703 @@ +/* + * Copyright (C) 2018-2021 Felix Fietkau + * @@ -109,7 +109,8 @@ Signed-off-by: Felix Fietkau + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): -+ proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; diff --git a/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch b/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch index 973598321299..eca611da7e83 100644 --- a/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch +++ b/target/linux/generic/hack-6.6/650-netfilter-add-xt_FLOWOFFLOAD-target.patch @@ -44,7 +44,7 @@ Signed-off-by: Felix Fietkau obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o --- /dev/null +++ b/net/netfilter/xt_FLOWOFFLOAD.c -@@ -0,0 +1,702 @@ +@@ -0,0 +1,703 @@ +/* + * Copyright (C) 2018-2021 Felix Fietkau + * @@ -109,7 +109,8 @@ Signed-off-by: Felix Fietkau + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): -+ proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; -- 2.30.2