From: Michal Kubecek <mkubecek@suse.cz>
Subject: kabi: handle addition of netns_ipv4::ip_id_key
Patch-mainline: Never, kabi workaround
References: CVE-2019-10638 bsc#1140575
Backport of mainline commit df453700e8d8 ("inet: switch IP ID generator to
siphash") adds new member ip_id_ikey into struct netns_ipv4 which is
embedded into kabi-protected struct net. As struct net is always allocated
by in-tree kernel code and struct netns_ipv4 is not used anywhere else, we
can move ip_id_key out of netns_ipv4 to the end of struct net itself and
hide it from genksyms.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
include/net/net_namespace.h | 1 +
include/net/netns/ipv4.h | 1 -
net/ipv4/route.c | 7 +++----
net/ipv6/output_core.c | 7 +++----
4 files changed, 7 insertions(+), 9 deletions(-)
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -156,6 +156,7 @@ struct net {
struct uevent_sock *uevent_sock; /* uevent socket */
int sysctl_tcp_min_snd_mss;
u32 hash_mix;
+ siphash_key_t ip_id_key;
int ip6frag_strict_short;
#endif
};
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -160,6 +160,5 @@ struct netns_ipv4 {
unsigned int fib_seq; /* protected by rtnl_mutex */
atomic_t rt_genid;
- siphash_key_t ip_id_key;
};
#endif
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -516,14 +516,13 @@ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
u32 hash, id;
/* Note the following code is not safe, but this is okay. */
- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
- get_random_bytes(&net->ipv4.ip_id_key,
- sizeof(net->ipv4.ip_id_key));
+ if (unlikely(siphash_key_is_zero(&net->ip_id_key)))
+ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key));
hash = siphash_3u32((__force u32)iph->daddr,
(__force u32)iph->saddr,
iph->protocol,
- &net->ipv4.ip_id_key);
+ &net->ip_id_key);
id = ip_idents_reserve(hash, segs);
iph->id = htons(id);
}
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -24,11 +24,10 @@ static u32 __ipv6_select_ident(struct net *net,
u32 hash, id;
/* Note the following code is not safe, but this is okay. */
- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
- get_random_bytes(&net->ipv4.ip_id_key,
- sizeof(net->ipv4.ip_id_key));
+ if (unlikely(siphash_key_is_zero(&net->ip_id_key)))
+ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key));
- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+ hash = siphash(&combined, sizeof(combined), &net->ip_id_key);
/* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
* set the hight order instead thus minimizing possible future