Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp104730pxb; Mon, 13 Sep 2021 14:13:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyxj89UUYhdv+3uVSY5FhjbkWJP+o5eNX2vWgFsXcEDfLcfeG8o8vOYmaZGvlqffoj0kyUu X-Received: by 2002:a50:cc48:: with SMTP id n8mr8451282edi.304.1631567585112; Mon, 13 Sep 2021 14:13:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631567585; cv=none; d=google.com; s=arc-20160816; b=AjzcwMcXl4bPXFScM8U/y23QnDE00linO2Wa/uaBEj/g6Z+cVC/U+Z4G5vz0JxFE4J uljejCiTtpvAuEghZD74BWHd0D5ZW1tcQch0WB/Ogo235MpPt9PfRhPeuLujI5SK0S9g 7NClR3OLEBIv5AmqAia4uEsxbH8oxfPJ5oQm14e7PENovbsjQYiqj4kGi35FHiVRy3L5 85wYmRQo4PcniEAPg5F0nT2HEiht7KVsY+Wg+yLYKya17yrhkx8OXoL+htVBnRpZ6UHR QkWw+tg/JTCG+WcmFtu2Q5htaYNPAC55AaDwrrEE7c9IFtYGtGId7TcB6UGM9j15o27O MfGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4r3WsW1GNHPlWX94BWVLdG2DiNXQTgipD3Xl9wrZOXg=; b=Yaf+yVyHAL+QjVczLs8pUnmJFuPFt5Y0gEahix0FWtxPQg+R5B+BoGvihOMfDLebmU BvxpIO2WkZ6T0I5SolmA9TxcQdaxHa9aY76lPVkBg5wPMAwRqjX4tokPpe2Blyv8AZZP 9ecWMXjeVB2ZFzSogcUmGysFPWjLGZsl4wgDYCYRIG0/3wF/PsnrLtUqrps7MhhBC19c GeWtwS8B0R0kptDAt6hco2StE+9m+n63b6tCQWgn8y8MccJoUWGXD34EYSB6OkwD95m2 h7uMfL2JHrq7A7YAV4qMr8F5S5vyKEhv28TiqmFQF3xhRn7fWoCiMdMNWgFQfAUm4CuP Ev4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OyZnnn62; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bz20si9598124ejc.780.2021.09.13.14.12.41; Mon, 13 Sep 2021 14:13:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=OyZnnn62; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243115AbhIMNwl (ORCPT + 99 others); Mon, 13 Sep 2021 09:52:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:51782 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243719AbhIMNsx (ORCPT ); Mon, 13 Sep 2021 09:48:53 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 30015615A2; Mon, 13 Sep 2021 13:33:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631539982; bh=05ULbHgYxuP6VcUEuZbxgAc00E65upL3Qnd6ovvPQ/s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OyZnnn620I+gDipNRllI2uo4ek/eKO36z1YSNK/Tr/wltxjVdIUMuz35GlTYzgp3S RC/eacBi/xBb95G3g1WClOz2kN8Lx4AHv4r83qDGdFIhWxKOemnUtx0QjmyGDuKV6c Bv+yUaxI28TQQwS/LEV4nOr3EEJD6S2lH3VUknoc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Keyu Man , Willy Tarreau , "David S. Miller" , David Ahern , Sasha Levin Subject: [PATCH 5.10 208/236] ipv4: make exception cache less predictible Date: Mon, 13 Sep 2021 15:15:13 +0200 Message-Id: <20210913131107.456559242@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131100.316353015@linuxfoundation.org> References: <20210913131100.316353015@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ] Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()"), an attacker can still use brute force to learn some secrets from a victim linux host. One way to defeat these attacks is to make the max depth of the hash table bucket a random value. Before this patch, each bucket of the hash table used to store exceptions could contain 6 items under attack. After the patch, each bucket would contains a random number of items, between 6 and 10. The attacker can no longer infer secrets. This is slightly increasing memory size used by the hash table, by 50% in average, we do not expect this to be a problem. This patch is more complex than the prior one (IPv6 equivalent), because IPv4 was reusing the oldest entry. Since we need to be able to evict more than one entry per update_or_create_fnhe() call, I had to replace fnhe_oldest() with fnhe_remove_oldest(). Also note that we will queue extra kfree_rcu() calls under stress, which hopefully wont be a too big issue. Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") Signed-off-by: Eric Dumazet Reported-by: Keyu Man Cc: Willy Tarreau Signed-off-by: David S. Miller Reviewed-by: David Ahern Tested-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/route.c | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 3d9946fd41f3..c5d762a2be99 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -610,18 +610,25 @@ static void fnhe_flush_routes(struct fib_nh_exception *fnhe) } } -static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) +static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash) { - struct fib_nh_exception *fnhe, *oldest; + struct fib_nh_exception __rcu **fnhe_p, **oldest_p; + struct fib_nh_exception *fnhe, *oldest = NULL; - oldest = rcu_dereference(hash->chain); - for (fnhe = rcu_dereference(oldest->fnhe_next); fnhe; - fnhe = rcu_dereference(fnhe->fnhe_next)) { - if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) + for (fnhe_p = &hash->chain; ; fnhe_p = &fnhe->fnhe_next) { + fnhe = rcu_dereference_protected(*fnhe_p, + lockdep_is_held(&fnhe_lock)); + if (!fnhe) + break; + if (!oldest || + time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) { oldest = fnhe; + oldest_p = fnhe_p; + } } fnhe_flush_routes(oldest); - return oldest; + *oldest_p = oldest->fnhe_next; + kfree_rcu(oldest, rcu); } static u32 fnhe_hashfun(__be32 daddr) @@ -700,16 +707,21 @@ static void update_or_create_fnhe(struct fib_nh_common *nhc, __be32 daddr, if (rt) fill_route_from_fnhe(rt, fnhe); } else { - if (depth > FNHE_RECLAIM_DEPTH) - fnhe = fnhe_oldest(hash); - else { - fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); - if (!fnhe) - goto out_unlock; - - fnhe->fnhe_next = hash->chain; - rcu_assign_pointer(hash->chain, fnhe); + /* Randomize max depth to avoid some side channels attacks. */ + int max_depth = FNHE_RECLAIM_DEPTH + + prandom_u32_max(FNHE_RECLAIM_DEPTH); + + while (depth > max_depth) { + fnhe_remove_oldest(hash); + depth--; } + + fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); + if (!fnhe) + goto out_unlock; + + fnhe->fnhe_next = hash->chain; + fnhe->fnhe_genid = genid; fnhe->fnhe_daddr = daddr; fnhe->fnhe_gw = gw; @@ -717,6 +729,8 @@ static void update_or_create_fnhe(struct fib_nh_common *nhc, __be32 daddr, fnhe->fnhe_mtu_locked = lock; fnhe->fnhe_expires = max(1UL, expires); + rcu_assign_pointer(hash->chain, fnhe); + /* Exception created; mark the cached routes for the nexthop * stale, so anyone caching it rechecks if this exception * applies to them. -- 2.30.2