Discussion:
[PATCH net-next] xfrm: Correctly parse netlink msg from 32bits ip command on 64bits host
(too old to reply)
Fan Du
2014-02-19 09:12:56 UTC
Permalink
When trying to setup IPsec configuration on a 64bits host with
iproute2(32bits compiled), the intended xfrm policy and sa is
either deficit or wrong when kernel trying to parse user land
information.

Add compat support for 32bits compiled ip command for 64bits host.

Signed-off-by: Fan Du <***@windriver.com>
---
include/uapi/linux/xfrm.h | 44 ++++++++++++++++++++++++++++++++++++++++++++
net/xfrm/xfrm_user.c | 16 +++++++++++++++-
2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index a8cd6a4..8d2fa8d 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -506,4 +506,48 @@ enum xfrm_nlgroups {
};
#define XFRMNLGRP_MAX (__XFRMNLGRP_MAX - 1)

+#ifdef CONFIG_COMPAT
+
+struct compat_xfrm_userpolicy_info {
+ struct xfrm_selector sel;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ __u32 priority;
+ __u32 index;
+ __u8 dir;
+ __u8 action;
+#define XFRM_POLICY_ALLOW 0
+#define XFRM_POLICY_BLOCK 1
+ __u8 flags;
+#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
+ /* Automatically expand selector to include matching ICMP payloads. */
+#define XFRM_POLICY_ICMP 2
+ __u8 share;
+} __attribute__((packed));
+
+struct compat_xfrm_usersa_info {
+ struct xfrm_selector sel;
+ struct xfrm_id id;
+ xfrm_address_t saddr;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ struct xfrm_stats stats;
+ __u32 seq;
+ __u32 reqid;
+ __u16 family;
+ __u8 mode; /* XFRM_MODE_xxx */
+ __u8 replay_window;
+ __u8 flags;
+#define XFRM_STATE_NOECN 1
+#define XFRM_STATE_DECAP_DSCP 2
+#define XFRM_STATE_NOPMTUDISC 4
+#define XFRM_STATE_WILDRECV 8
+#define XFRM_STATE_ICMP 16
+#define XFRM_STATE_AF_UNSPEC 32
+#define XFRM_STATE_ALIGN4 64
+#define XFRM_STATE_ESN 128
+} __attribute__((packed));
+
+#endif
+
#endif /* _LINUX_XFRM_H */
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1ae3ec7..8bfbd95 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2281,6 +2281,12 @@ static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = {
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
};

+static const int compat_xfrm_msg_min[XFRM_NR_MSGTYPES] = {
+ [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(compat_xfrm_usersa_info),
+ [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(compat_xfrm_userpolicy_info),
+ [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(compat_xfrm_userpolicy_info),
+};
+
#undef XMSGSIZE

static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
@@ -2346,6 +2352,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct nlattr *attrs[XFRMA_MAX+1];
const struct xfrm_link *link;
int type, err;
+ int len;

type = nlh->nlmsg_type;
if (type > XFRM_MSG_MAX)
@@ -2373,7 +2380,14 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
}

- err = nlmsg_parse(nlh, xfrm_msg_min[type], attrs, XFRMA_MAX,
+#ifdef CONFIG_COMPAT
+ if (is_compat_task())
+ len = compat_xfrm_msg_min[type];
+ else
+#endif
+ len = xfrm_msg_min[type];
+
+ err = nlmsg_parse(nlh, len, attrs, XFRMA_MAX,
xfrma_policy);
if (err < 0)
return err;
--
1.7.9.5
Steffen Klassert
2014-02-20 09:59:34 UTC
Permalink
Post by Fan Du
+#ifdef CONFIG_COMPAT
+
+struct compat_xfrm_userpolicy_info {
+ struct xfrm_selector sel;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ __u32 priority;
+ __u32 index;
+ __u8 dir;
+ __u8 action;
+#define XFRM_POLICY_ALLOW 0
+#define XFRM_POLICY_BLOCK 1
+ __u8 flags;
+#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
+ /* Automatically expand selector to include matching ICMP payloads. */
+#define XFRM_POLICY_ICMP 2
+ __u8 share;
+} __attribute__((packed));
+
+struct compat_xfrm_usersa_info {
+ struct xfrm_selector sel;
+ struct xfrm_id id;
+ xfrm_address_t saddr;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ struct xfrm_stats stats;
+ __u32 seq;
+ __u32 reqid;
+ __u16 family;
+ __u8 mode; /* XFRM_MODE_xxx */
+ __u8 replay_window;
+ __u8 flags;
+#define XFRM_STATE_NOECN 1
+#define XFRM_STATE_DECAP_DSCP 2
+#define XFRM_STATE_NOPMTUDISC 4
+#define XFRM_STATE_WILDRECV 8
+#define XFRM_STATE_ICMP 16
+#define XFRM_STATE_AF_UNSPEC 32
+#define XFRM_STATE_ALIGN4 64
+#define XFRM_STATE_ESN 128
+} __attribute__((packed));
+
You define two structures that you actually don't use,
all you do is checking their size.

The only reason why this works is because these two
structures differ only on some padding bytes at the
end. If we want to support 32 bit ipsec tools on
64 bit kernels, we need a complete compat layer
for all the userspace exported structures.

A lot of userspace exported structures differ not only
on some padding bytes at the end.

For example the layout of xfrm_userspi_info:

on 32 bit:

struct xfrm_userspi_info {
struct xfrm_usersa_info info; /* 0 220 */

/* XXX last struct has 3 bytes of padding */

/* --- cacheline 3 boundary (192 bytes) was 28 bytes ago --- */
__u32 min; /* 220 4 */
__u32 max; /* 224 4 */

/* size: 228, cachelines: 4, members: 3 */
/* paddings: 1, sum paddings: 3 */
/* last cacheline: 36 bytes */
};

on 64 bit:

struct xfrm_userspi_info {
struct xfrm_usersa_info info; /* 0 224 */

/* XXX last struct has 7 bytes of padding */

/* --- cacheline 3 boundary (192 bytes) was 32 bytes ago --- */
__u32 min; /* 224 4 */
__u32 max; /* 228 4 */

/* size: 232, cachelines: 4, members: 3 */
/* paddings: 1, sum paddings: 7 */
/* last cacheline: 40 bytes */
};


So the 'min' field has an offest of 220 bytes on 32 bit and an offset
of 224 bytes on 64 bit. We would need a compatability layer like we
have it for system calls to map this correct.

For now I think we should just refuse to do anything if someone tries
to configure ipsec with 32 bit tools on a 64 bit machine.
Fan Du
2014-02-25 06:41:11 UTC
Permalink
Post by Steffen Klassert
For now I think we should just refuse to do anything if someone tries
to configure ipsec with 32 bit tools on a 64 bit machine.
I'm fine with your point, and it would be a good choice to inform user =
about
this behavior other than just creating non-working SA and SP for user.


From 873812ec0fe8738f476de58a217e58ec47665180 Mon Sep 17 00:00:00 2001
=46rom: Fan Du <***@windriver.com>
Date: Tue, 25 Feb 2014 14:34:41 +0800
Subject: [PATCH net-next] xfrm: Do not parse 32bits compiled xfrm netli=
nk msg on
64bits host

structure like xfrm_usersa_info or xfrm_userpolicy_info has different s=
izeof
when compiled as 32bits and 64bits due to not appending pack attribute =
in
their definition. This will result in broken SA and SP information when=
user
trying to configure them through netlink interface.

Before forging a compatibility layer like we have it for system calls t=
o map
this correct. Inform user land about this situation instead of keeping =
silent,
then the upper test scripts could behave accordingly.

Signed-off-by: Fan Du <***@windriver.com>
---
net/xfrm/xfrm_user.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1ae3ec7..0249712 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2347,6 +2347,10 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb=
, struct nlmsghdr *nlh)
const struct xfrm_link *link;
int type, err;

+#ifdef CONFIG_COMPAT
+ if (is_compat_task())
+ return -EPERM;
+#endif
type =3D nlh->nlmsg_type;
if (type > XFRM_MSG_MAX)
return -EINVAL;
--=20
1.7.9.5


--=20
=E6=B5=AE=E6=B2=89=E9=9A=8F=E6=B5=AA=E5=8F=AA=E8=AE=B0=E4=BB=8A=E6=9C=9D=
=E7=AC=91

--fan
Steffen Klassert
2014-02-25 11:53:39 UTC
Permalink
=20
=20
For now I think we should just refuse to do anything if someone trie=
s
to configure ipsec with 32 bit tools on a 64 bit machine.
=20
I'm fine with your point, and it would be a good choice to inform use=
r about
this behavior other than just creating non-working SA and SP for user=
=2E
=20
=20
From 873812ec0fe8738f476de58a217e58ec47665180 Mon Sep 17 00:00:00 200=
1
Date: Tue, 25 Feb 2014 14:34:41 +0800
Subject: [PATCH net-next] xfrm: Do not parse 32bits compiled xfrm net=
link msg on
64bits host
=20
structure like xfrm_usersa_info or xfrm_userpolicy_info has different=
sizeof
when compiled as 32bits and 64bits due to not appending pack attribut=
e in
their definition. This will result in broken SA and SP information wh=
en user
trying to configure them through netlink interface.
=20
Before forging a compatibility layer like we have it for system calls=
to map
this correct. Inform user land about this situation instead of keepin=
g silent,
then the upper test scripts could behave accordingly.
=20
I'm ok with your patch, but it does not apply to ipsec-next.
Please rebase to ipsec-next current and resend.

Thanks!
Ben Hutchings
2014-02-25 17:15:47 UTC
Permalink
Post by Steffen Klassert
For now I think we should just refuse to do anything if someone tries
to configure ipsec with 32 bit tools on a 64 bit machine.
I'm fine with your point, and it would be a good choice to inform user about
this behavior other than just creating non-working SA and SP for user.
From 873812ec0fe8738f476de58a217e58ec47665180 Mon Sep 17 00:00:00 2001
Date: Tue, 25 Feb 2014 14:34:41 +0800
Subject: [PATCH net-next] xfrm: Do not parse 32bits compiled xfrm netlink msg on
64bits host
structure like xfrm_usersa_info or xfrm_userpolicy_info has different sizeof
when compiled as 32bits and 64bits due to not appending pack attribute in
their definition. This will result in broken SA and SP information when user
trying to configure them through netlink interface.
Before forging a compatibility layer like we have it for system calls to map
this correct. Inform user land about this situation instead of keeping silent,
then the upper test scripts could behave accordingly.
---
net/xfrm/xfrm_user.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1ae3ec7..0249712 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2347,6 +2347,10 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
const struct xfrm_link *link;
int type, err;
+#ifdef CONFIG_COMPAT
+ if (is_compat_task())
+ return -EPERM;
I think this needs a log message, as it is not at all obvious that EPERM
means you ran a binary from the 'wrong' architecture.

Ben.
+#endif
type = nlh->nlmsg_type;
if (type > XFRM_MSG_MAX)
return -EINVAL;
--
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
Florian Westphal
2014-02-25 19:16:02 UTC
Permalink
On 2014=E5=B9=B402=E6=9C=8820=E6=97=A5 17:59, Steffen Klassert wrot=
For now I think we should just refuse to do anything if someone t=
ries
to configure ipsec with 32 bit tools on a 64 bit machine.
=20
I'm fine with your point, and it would be a good choice to inform u=
ser about
this behavior other than just creating non-working SA and SP for us=
er.

It might be better to try to revive
http://thread.gmane.org/gmane.linux.network/157118/focus=3D157122

which adds full compat support.
David Miller
2014-02-27 23:52:20 UTC
Permalink
From: Florian Westphal <***@strlen.de>
Date: Tue, 25 Feb 2014 20:16:02 +0100
Post by Florian Westphal
Post by Steffen Klassert
For now I think we should just refuse to do anything if someone tries
to configure ipsec with 32 bit tools on a 64 bit machine.
I'm fine with your point, and it would be a good choice to inform user about
this behavior other than just creating non-working SA and SP for user.
It might be better to try to revive
http://thread.gmane.org/gmane.linux.network/157118/focus=157122
which adds full compat support.
Agreed.

Continue reading on narkive:
Loading...