Received: by 2002:a05:6520:4d:b0:139:a872:a4c9 with SMTP id i13csp2566926lkm; Mon, 20 Sep 2021 18:54:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwqoBdLrdxSw5K2mWTRd0pfcTiwAInjbsjvRQ0CJIFUq7bqRRD0uynIk06Ee+L11g0hfWyC X-Received: by 2002:a05:6e02:ef4:: with SMTP id j20mr20395726ilk.294.1632188912822; Mon, 20 Sep 2021 18:48:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188912; cv=none; d=google.com; s=arc-20160816; b=PFQIhKvXoHrXznLBYLQ+dR1VbOmUL39va2gUApRj8E50UkD0g7mBwQdydSxft1nsHe DoDalkF3OxcG9ojaIBmtgac3Xm1jzJsca+hV4aJ9U4T0GyS3HZE4PPKW7hHPNL+b4LXb H6uESm4LZBM2xRDHla9fE5JqMZwMRPrNrWRp9iqZRTNX1q9q+qZHJnPNMNvjHPzl7vTm ZT1dodiCVGab+ExqxBGKJVx8BqVyNd3hznhBQvVZo+zblrKq3HZ+IXUk/NUF9Ph2Jpu/ TJiephPO5+ruaGInKJQcUjvvt2tJ0DiyHtyjK07IETGcvku2z58WBgbYVwfbZVbLnU4W +brw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Fcujfy4UiHmprRbJBko6OQLdihmsRE/GzTMV1JQQAlY=; b=Wc4NJFdseCxYUlwFp7jT+iV0gTfYwE6OHmaW+DveBhxhr7GXMy7FLDzoMM0PG2HW7P BhCxmNvP8Uf2iY+PA/VudGQRihJc9oAmnc0Tyju7PuidrpJx15t/pNZ7nhrLNUrGnt5I 5RhEkx7dopLr3UH3+RmvSvAJMVRnuxOtjlk8HcOeHxxALoYTuxYAZ8qWEKc2HW7kcGmF Ct7FEnaREtFth6bAnL+eYEuCkY4tiPQ2vE5fID1xQxbv3r6f4mpnN74VWxhGGV2hmOy6 3Op9oEUyodKgP0HEYF5l7j02ERozjVc4RoMnLP75qc5R/gaIk0JA0M6eZcwDHJx8jwsc VwoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=r+WmPoHi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z9si16350863ile.172.2021.09.20.18.48.21; Mon, 20 Sep 2021 18:48:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=r+WmPoHi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352821AbhITRmH (ORCPT + 99 others); Mon, 20 Sep 2021 13:42:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:43520 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352592AbhITRjq (ORCPT ); Mon, 20 Sep 2021 13:39:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 948FF61B3F; Mon, 20 Sep 2021 17:08:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632157681; bh=eKiF2ULYXhs/ylPWv84WbrMumQzr4u4BVZKZDQmEv0M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r+WmPoHi/VaH6nahd3nTqwRItEmuaMVDNgA1tc5e7MBno1hd4f8S8fQFZV3NClbKR scCiG16hYdWbE81FvL8JIXB4N2SQx9yOJF3PlMqjzWGwhL1oEItXlgBRgTUvQph1UB 6dOArp7guHBGFhFcEAJr1bCMxt2NzquNSHum+fPY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Keyu Man , Willy Tarreau , "David S. Miller" , David Ahern , Sasha Levin Subject: [PATCH 4.19 101/293] ipv4: make exception cache less predictible Date: Mon, 20 Sep 2021 18:41:03 +0200 Message-Id: <20210920163936.720060453@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163933.258815435@linuxfoundation.org> References: <20210920163933.258815435@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ] Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()"), an attacker can still use brute force to learn some secrets from a victim linux host. One way to defeat these attacks is to make the max depth of the hash table bucket a random value. Before this patch, each bucket of the hash table used to store exceptions could contain 6 items under attack. After the patch, each bucket would contains a random number of items, between 6 and 10. The attacker can no longer infer secrets. This is slightly increasing memory size used by the hash table, by 50% in average, we do not expect this to be a problem. This patch is more complex than the prior one (IPv6 equivalent), because IPv4 was reusing the oldest entry. Since we need to be able to evict more than one entry per update_or_create_fnhe() call, I had to replace fnhe_oldest() with fnhe_remove_oldest(). Also note that we will queue extra kfree_rcu() calls under stress, which hopefully wont be a too big issue. Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") Signed-off-by: Eric Dumazet Reported-by: Keyu Man Cc: Willy Tarreau Signed-off-by: David S. Miller Reviewed-by: David Ahern Tested-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/route.c | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 1491d239385e..d72bffab6ffc 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -604,18 +604,25 @@ static void fnhe_flush_routes(struct fib_nh_exception *fnhe) } } -static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) +static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash) { - struct fib_nh_exception *fnhe, *oldest; + struct fib_nh_exception __rcu **fnhe_p, **oldest_p; + struct fib_nh_exception *fnhe, *oldest = NULL; - oldest = rcu_dereference(hash->chain); - for (fnhe = rcu_dereference(oldest->fnhe_next); fnhe; - fnhe = rcu_dereference(fnhe->fnhe_next)) { - if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) + for (fnhe_p = &hash->chain; ; fnhe_p = &fnhe->fnhe_next) { + fnhe = rcu_dereference_protected(*fnhe_p, + lockdep_is_held(&fnhe_lock)); + if (!fnhe) + break; + if (!oldest || + time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) { oldest = fnhe; + oldest_p = fnhe_p; + } } fnhe_flush_routes(oldest); - return oldest; + *oldest_p = oldest->fnhe_next; + kfree_rcu(oldest, rcu); } static inline u32 fnhe_hashfun(__be32 daddr) @@ -692,16 +699,21 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, if (rt) fill_route_from_fnhe(rt, fnhe); } else { - if (depth > FNHE_RECLAIM_DEPTH) - fnhe = fnhe_oldest(hash); - else { - fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); - if (!fnhe) - goto out_unlock; - - fnhe->fnhe_next = hash->chain; - rcu_assign_pointer(hash->chain, fnhe); + /* Randomize max depth to avoid some side channels attacks. */ + int max_depth = FNHE_RECLAIM_DEPTH + + prandom_u32_max(FNHE_RECLAIM_DEPTH); + + while (depth > max_depth) { + fnhe_remove_oldest(hash); + depth--; } + + fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); + if (!fnhe) + goto out_unlock; + + fnhe->fnhe_next = hash->chain; + fnhe->fnhe_genid = genid; fnhe->fnhe_daddr = daddr; fnhe->fnhe_gw = gw; @@ -709,6 +721,8 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, fnhe->fnhe_mtu_locked = lock; fnhe->fnhe_expires = max(1UL, expires); + rcu_assign_pointer(hash->chain, fnhe); + /* Exception created; mark the cached routes for the nexthop * stale, so anyone caching it rechecks if this exception * applies to them. -- 2.30.2