From: Michal Kubecek <mkubecek@suse.cz>
Date: Wed, 15 Jun 2022 09:56:43 +0200
Subject: kabi: return type change of secure_ipv[46]_port_ephemeral()
Patch-mainline: Never, kabi workaround
References: CVE-2022-1012 CVE-2022-32296 bsc#1199482 bsc#1200288
Backport of mainline commit b2d057560b81 ("secure_seq: use the 64 bits of
the siphash for port offset calculation") changed the return type of
secure_ipv4_port_ephemeral() and secure_ipv6_port_ephemeral() helpers from
u32 to u64.
Technically it should be sufficient to just hide the change from genksyms
as we only build 64-bit architectures where the return value is passed in
the same register for both u64 and u32 (only half being used in the latter
case). But let's do a proper workaround: rename the u64 returning functions
and recreate the old helpers as wrappers around them.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
include/net/secure_seq.h | 7 +++++--
net/core/secure_seq.c | 19 ++++++++++++++++---
net/ipv4/inet_hashtables.c | 6 +++---
net/ipv6/inet6_hashtables.c | 6 +++---
4 files changed, 27 insertions(+), 11 deletions(-)
--- a/include/net/secure_seq.h
+++ b/include/net/secure_seq.h
@@ -3,9 +3,12 @@
#include <linux/types.h>
-u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
-u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
+u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
__be16 dport);
+u64 secure_ipv4_port_ephemeral64(__be32 saddr, __be32 daddr, __be16 dport);
+u64 secure_ipv6_port_ephemeral64(const __be32 *saddr, const __be32 *daddr,
+ __be16 dport);
u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
__be16 sport, __be16 dport);
u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr);
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -95,8 +95,8 @@ u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
}
EXPORT_SYMBOL(secure_tcpv6_seq);
-u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
- __be16 dport)
+u64 secure_ipv6_port_ephemeral64(const __be32 *saddr, const __be32 *daddr,
+ __be16 dport)
{
const struct {
struct in6_addr saddr;
@@ -113,6 +113,13 @@ u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
return siphash(&combined, offsetofend(typeof(combined), dport),
&net_secret);
}
+EXPORT_SYMBOL(secure_ipv6_port_ephemeral64);
+
+u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+ __be16 dport)
+{
+ return (u32)secure_ipv6_port_ephemeral64(saddr, daddr, dport);
+}
EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
#endif
@@ -145,7 +152,7 @@ u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
}
EXPORT_SYMBOL_GPL(secure_tcp_seq);
-u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+u64 secure_ipv4_port_ephemeral64(__be32 saddr, __be32 daddr, __be16 dport)
{
net_secret_init();
return siphash_4u32((__force u32)saddr, (__force u32)daddr,
@@ -153,6 +160,12 @@ u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
jiffies / EPHEMERAL_PORT_SHUFFLE_PERIOD,
&net_secret);
}
+EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral64);
+
+u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+{
+ return (u32)secure_ipv4_port_ephemeral64(saddr, daddr, dport);
+}
EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
#endif
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -396,9 +396,9 @@ static u64 inet_sk_port_offset(const struct sock *sk)
{
const struct inet_sock *inet = inet_sk(sk);
- return secure_ipv4_port_ephemeral(inet->inet_rcv_saddr,
- inet->inet_daddr,
- inet->inet_dport);
+ return secure_ipv4_port_ephemeral64(inet->inet_rcv_saddr,
+ inet->inet_daddr,
+ inet->inet_dport);
}
/* Searches for an exsiting socket in the ehash bucket list.
--- a/net/ipv6/inet6_hashtables.c
+++ b/net/ipv6/inet6_hashtables.c
@@ -245,9 +245,9 @@ static u64 inet6_sk_port_offset(const struct sock *sk)
{
const struct inet_sock *inet = inet_sk(sk);
- return secure_ipv6_port_ephemeral(sk->sk_v6_rcv_saddr.s6_addr32,
- sk->sk_v6_daddr.s6_addr32,
- inet->inet_dport);
+ return secure_ipv6_port_ephemeral64(sk->sk_v6_rcv_saddr.s6_addr32,
+ sk->sk_v6_daddr.s6_addr32,
+ inet->inet_dport);
}
int inet6_hash_connect(struct inet_timewait_death_row *death_row,