Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2296275ybl;
        Thu, 19 Dec 2019 11:10:07 -0800 (PST)
X-Google-Smtp-Source: APXvYqzJWJn+WR5MsQHsL2CH0iJKdDbmfFtBLnF5Uo2OLvU2xz95vE7aL7eGGEe+93GbgHpxakMZ
X-Received: by 2002:a9d:7c91:: with SMTP id q17mr9926018otn.70.1576782607268;
        Thu, 19 Dec 2019 11:10:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576782607; cv=none;
        d=google.com; s=arc-20160816;
        b=v6PSdRp/782Mn5PAMPofeUb1+GA3tumd3xbR0DHeV/Cr7vtA6iC4Isp3PBoR9I90GR
         UQ5hBWPObbhBB2svpP2uQMgEe5CD3A7TXbMIv2FhTMNRQ6IbKISNnKlQZsMbxVBrDYsG
         mX8B1QK5ilUbgh2E9MDU9WyLY6XQiFVHBWynWx2TuHp+eSZNlRcjLtmEPTXwjU9aLowG
         0Fts3DXP6zdMS2xZas/RfBNSxjRkIsmSFRaEm6TndmMvbIpT6FoZnTD3nB3LYswkIvck
         xBFgwRPUjqDOpBtp2OYOYxE69mTn/MxTgbkhsJz2kMj9v60HxOnH/u6UNoDehfsfHXmk
         fisQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=vdkZEEuZv1PH+GgVVydgBEs8QbUDCa/8YkRZUEuOwaI=;
        b=BJSZbEItTHastYZ97e35H1XF2daagm9JfpvBkSKRJo6PnGjzuzNyiVRkTVo+N0aSlf
         Ifcq8pjtlzjJ6g9W4acL8sVIexVhhS2zubh7BYQhZaSqjQm4l9D7e+oR/Q6U0nRi6BUB
         6JlYoU/Qf5R7tfx8g9s5Lucr38QHE5Z85Vq7buPYVWMyf9lqBZe6BeO4mbZsRidgBFC/
         yaWl2egrJsKuu2VPfeJ/5ByVGBAu12jMZm7iNE8CaNN2pBT0KmUAowMfb/7sNg3whgzB
         IWeX+sIh5OHffsRHJsEBLw+MH5A5NMUT98VzDwP15H+Yvc6SGGyJFwrrfpnWe+LSXoTe
         PW9g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=0hQfjfk6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q126si3463743oia.8.2019.12.19.11.09.56;
        Thu, 19 Dec 2019 11:10:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=0hQfjfk6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728078AbfLSTJE (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Thu, 19 Dec 2019 14:09:04 -0500
Received: from mail.kernel.org ([198.145.29.99]:60010 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727574AbfLSSlH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Dec 2019 13:41:07 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 381EF206D7;
        Thu, 19 Dec 2019 18:41:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1576780865;
        bh=k/Vn97eY/o48QnUPvrMfmIs4W8FZyzJ3R15DAh3PVyY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=0hQfjfk6h5VNbnEdhKf17EsIIyHyZhugZdCKAvoZH9bfeswTcB+UKvuSTYVq1TiPh
         Saeai+OOqSEMdiGeICw6RXRTzP4VH3KxfWTaCP557aqXnc25myLHMrqtA3itkFmb4g
         8+CeeUoTZmLTx9ut84aWn/rKD7d5glwKF6TGFwW4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Guillaume Nault <gnault@redhat.com>,
        Eric Dumazet <edumazet@google.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 148/162] tcp: tighten acceptance of ACKs not matching a child socket
Date:   Thu, 19 Dec 2019 19:34:16 +0100
Message-Id: <20191219183216.782494552@linuxfoundation.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20191219183150.477687052@linuxfoundation.org>
References: <20191219183150.477687052@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Guillaume Nault <gnault@redhat.com>

[ Upstream commit cb44a08f8647fd2e8db5cc9ac27cd8355fa392d8 ]

When no synflood occurs, the synflood timestamp isn't updated.
Therefore it can be so old that time_after32() can consider it to be
in the future.

That's a problem for tcp_synq_no_recent_overflow() as it may report
that a recent overflow occurred while, in fact, it's just that jiffies
has grown past 'last_overflow' + TCP_SYNCOOKIE_VALID + 2^31.

Spurious detection of recent overflows lead to extra syncookie
verification in cookie_v[46]_check(). At that point, the verification
should fail and the packet dropped. But we should have dropped the
packet earlier as we didn't even send a syncookie.

Let's refine tcp_synq_no_recent_overflow() to report a recent overflow
only if jiffies is within the
[last_overflow, last_overflow + TCP_SYNCOOKIE_VALID] interval. This
way, no spurious recent overflow is reported when jiffies wraps and
'last_overflow' becomes in the future from the point of view of
time_after32().

However, if jiffies wraps and enters the
[last_overflow, last_overflow + TCP_SYNCOOKIE_VALID] interval (with
'last_overflow' being a stale synflood timestamp), then
tcp_synq_no_recent_overflow() still erroneously reports an
overflow. In such cases, we have to rely on syncookie verification
to drop the packet. We unfortunately have no way to differentiate
between a fresh and a stale syncookie timestamp.

In practice, using last_overflow as lower bound is problematic.
If the synflood timestamp is concurrently updated between the time
we read jiffies and the moment we store the timestamp in
'last_overflow', then 'now' becomes smaller than 'last_overflow' and
tcp_synq_no_recent_overflow() returns true, potentially dropping a
valid syncookie.

Reading jiffies after loading the timestamp could fix the problem,
but that'd require a memory barrier. Let's just accommodate for
potential timestamp growth instead and extend the interval using
'last_overflow - HZ' as lower bound.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/tcp.h |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -514,7 +514,15 @@ static inline bool tcp_synq_no_recent_ov
 {
 	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
 
-	return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID);
+	/* If last_overflow <= jiffies <= last_overflow + TCP_SYNCOOKIE_VALID,
+	 * then we're under synflood. However, we have to use
+	 * 'last_overflow - HZ' as lower bound. That's because a concurrent
+	 * tcp_synq_overflow() could update .ts_recent_stamp after we read
+	 * jiffies but before we store .ts_recent_stamp into last_overflow,
+	 * which could lead to rejecting a valid syncookie.
+	 */
+	return !time_between32(jiffies, last_overflow - HZ,
+			       last_overflow + TCP_SYNCOOKIE_VALID);
 }
 
 static inline u32 tcp_cookie_time(void)