kernel / kernel-source

Clone
Source Code
GIT

Blame patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   00e52c42f538d66b0fc48d425f1b22d19b47a5fc
  2.   patches.kabi
  3.   kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
Blob History Raw
Michal Kubecek 7655c4 
From: Michal Kubecek <mkubecek@suse.cz>
Michal Kubecek 7655c4 
Date: Wed, 15 Jun 2022 09:56:43 +0200
Michal Kubecek 7655c4 
Subject: kabi: return type change of secure_ipv[46]_port_ephemeral()
Michal Kubecek 7655c4 
Patch-mainline: Never, kabi workaround
Michal Kubecek 07e021 
References: CVE-2022-1012 CVE-2022-32296 bsc#1199482 bsc#1200288
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
Backport of mainline commit b2d057560b81 ("secure_seq: use the 64 bits of
Michal Kubecek 7655c4 
the siphash for port offset calculation") changed the return type of
Michal Kubecek 7655c4 
secure_ipv4_port_ephemeral() and secure_ipv6_port_ephemeral() helpers from
Michal Kubecek 7655c4 
u32 to u64.
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
Technically it should be sufficient to just hide the change from genksyms
Michal Kubecek 7655c4 
as we only build 64-bit architectures where the return value is passed in
Michal Kubecek 7655c4 
the same register for both u64 and u32 (only half being used in the latter
Michal Kubecek 7655c4 
case). But let's do a proper workaround: rename the u64 returning functions
Michal Kubecek 7655c4 
and recreate the old helpers as wrappers around them.
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Michal Kubecek 7655c4 
---
Michal Kubecek 7655c4 
 include/net/secure_seq.h    |  7 +++++--
Michal Kubecek 7655c4 
 net/core/secure_seq.c       | 19 ++++++++++++++++---
Michal Kubecek 7655c4 
 net/ipv4/inet_hashtables.c  |  6 +++---
Michal Kubecek 7655c4 
 net/ipv6/inet6_hashtables.c |  6 +++---
Michal Kubecek 7655c4 
 4 files changed, 27 insertions(+), 11 deletions(-)
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
--- a/include/net/secure_seq.h
Michal Kubecek 7655c4 
+++ b/include/net/secure_seq.h
Michal Kubecek 7655c4 
@@ -4,9 +4,12 @@
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
 #include <linux/types.h>
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
-u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
Michal Kubecek 7655c4 
-u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
+u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
Michal Kubecek 7655c4 
+u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
 			       __be16 dport);
Michal Kubecek 7655c4 
+u64 secure_ipv4_port_ephemeral64(__be32 saddr, __be32 daddr, __be16 dport);
Michal Kubecek 7655c4 
+u64 secure_ipv6_port_ephemeral64(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
+				 __be16 dport);
Michal Kubecek 7655c4 
 u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
Michal Kubecek 7655c4 
 		   __be16 sport, __be16 dport);
Michal Kubecek 7655c4 
 u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr);
Michal Kubecek 7655c4 
--- a/net/core/secure_seq.c
Michal Kubecek 7655c4 
+++ b/net/core/secure_seq.c
Michal Kubecek c2b58c 
@@ -96,8 +96,8 @@ u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
 }
Michal Kubecek 7655c4 
 EXPORT_SYMBOL(secure_tcpv6_seq);
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
-u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
-			       __be16 dport)
Michal Kubecek 7655c4 
+u64 secure_ipv6_port_ephemeral64(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
+				 __be16 dport)
Michal Kubecek 7655c4 
 {
Michal Kubecek 7655c4 
 	const struct {
Michal Kubecek 7655c4 
 		struct in6_addr saddr;
Michal Kubecek c2b58c 
@@ -114,6 +114,13 @@ u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
 	return siphash(&combined, offsetofend(typeof(combined), dport),
Michal Kubecek 7655c4 
 		       &net_secret);
Michal Kubecek 7655c4 
 }
Michal Kubecek 7655c4 
+EXPORT_SYMBOL(secure_ipv6_port_ephemeral64);
Michal Kubecek 7655c4 
+
Michal Kubecek 7655c4 
+u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
Michal Kubecek 7655c4 
+			       __be16 dport)
Michal Kubecek 7655c4 
+{
Michal Kubecek 7655c4 
+	return (u32)secure_ipv6_port_ephemeral64(saddr, daddr, dport);
Michal Kubecek 7655c4 
+}
Michal Kubecek 7655c4 
 EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
Michal Kubecek 7655c4 
 #endif
Michal Kubecek 7655c4
Michal Kubecek c2b58c 
@@ -146,7 +153,7 @@ u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
Michal Kubecek 7655c4 
 }
Michal Kubecek 7655c4 
 EXPORT_SYMBOL_GPL(secure_tcp_seq);
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
-u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
Michal Kubecek 7655c4 
+u64 secure_ipv4_port_ephemeral64(__be32 saddr, __be32 daddr, __be16 dport)
Michal Kubecek 7655c4 
 {
Michal Kubecek 7655c4 
 	net_secret_init();
Michal Kubecek c2b58c 
 	return siphash_4u32((__force u32)saddr, (__force u32)daddr,
Michal Kubecek c2b58c 
@@ -154,6 +161,12 @@ u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
Michal Kubecek c2b58c 
 			    jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,
Michal Kubecek c2b58c 
 			    &net_secret);
Michal Kubecek 7655c4 
 }
Michal Kubecek 7655c4 
+EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral64);
Michal Kubecek 7655c4 
+
Michal Kubecek 7655c4 
+u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
Michal Kubecek 7655c4 
+{
Michal Kubecek 7655c4 
+	return (u32)secure_ipv4_port_ephemeral64(saddr, daddr, dport);
Michal Kubecek 7655c4 
+}
Michal Kubecek 7655c4 
 EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
Michal Kubecek 7655c4 
 #endif
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
--- a/net/ipv4/inet_hashtables.c
Michal Kubecek 7655c4 
+++ b/net/ipv4/inet_hashtables.c
Michal Kubecek 7655c4 
@@ -508,9 +508,9 @@ static u64 inet_sk_port_offset(const struct sock *sk)
Michal Kubecek 7655c4 
 {
Michal Kubecek 7655c4 
 	const struct inet_sock *inet = inet_sk(sk);
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
-	return secure_ipv4_port_ephemeral(inet->inet_rcv_saddr,
Michal Kubecek 7655c4 
-					  inet->inet_daddr,
Michal Kubecek 7655c4 
-					  inet->inet_dport);
Michal Kubecek 7655c4 
+	return secure_ipv4_port_ephemeral64(inet->inet_rcv_saddr,
Michal Kubecek 7655c4 
+					    inet->inet_daddr,
Michal Kubecek 7655c4 
+					    inet->inet_dport);
Michal Kubecek 7655c4 
 }
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
 /* Searches for an exsiting socket in the ehash bucket list.
Michal Kubecek 7655c4 
--- a/net/ipv6/inet6_hashtables.c
Michal Kubecek 7655c4 
+++ b/net/ipv6/inet6_hashtables.c
Michal Kubecek 7655c4 
@@ -312,9 +312,9 @@ static u64 inet6_sk_port_offset(const struct sock *sk)
Michal Kubecek 7655c4 
 {
Michal Kubecek 7655c4 
 	const struct inet_sock *inet = inet_sk(sk);
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
-	return secure_ipv6_port_ephemeral(sk->sk_v6_rcv_saddr.s6_addr32,
Michal Kubecek 7655c4 
-					  sk->sk_v6_daddr.s6_addr32,
Michal Kubecek 7655c4 
-					  inet->inet_dport);
Michal Kubecek 7655c4 
+	return secure_ipv6_port_ephemeral64(sk->sk_v6_rcv_saddr.s6_addr32,
Michal Kubecek 7655c4 
+					    sk->sk_v6_daddr.s6_addr32,
Michal Kubecek 7655c4 
+					    inet->inet_dport);
Michal Kubecek 7655c4 
 }
Michal Kubecek 7655c4
Michal Kubecek 7655c4 
 int inet6_hash_connect(struct inet_timewait_death_row *death_row,
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.