netfilter: br_netfilter: skip conntrack input hook for promisc packets

PlaidCat · PlaidCat · commit 875b3682c442 · 2024-09-12T13:28:13.000-04:00
jira LE-1907 cve CVE-2024-27415 Rebuild_History Non-Buildable kernel-5.14.0-427.33.1.el9_4 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 751de20 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/751de201.failed For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets. Jianbo Liu reports warning splats in their test infrastructure where cloned packets reach the br_netfilter input hook to confirm the conntrack object. Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has reached the input hook because it is passed up to the bridge device to reach the taps. [ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core [ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ ctrliq#19 [ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1 [ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202 [ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000 [ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000 [ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003 [ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000 [ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800 [ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000 [ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0 [ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 57.585440] Call Trace: [ 57.585721] <IRQ> [ 57.585976] ? __warn+0x7d/0x130 [ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.586811] ? report_bug+0xf1/0x1c0 [ 57.587177] ? handle_bug+0x3f/0x70 [ 57.587539] ? exc_invalid_op+0x13/0x60 [ 57.587929] ? asm_exc_invalid_op+0x16/0x20 [ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter] [ 57.588825] nf_hook_slow+0x3d/0xd0 [ 57.589188] ? br_handle_vlan+0x4b/0x110 [ 57.589579] br_pass_frame_up+0xfc/0x150 [ 57.589970] ? br_port_flags_change+0x40/0x40 [ 57.590396] br_handle_frame_finish+0x346/0x5e0 [ 57.590837] ? ipt_do_table+0x32e/0x430 [ 57.591221] ? br_handle_local_finish+0x20/0x20 [ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter] [ 57.592286] ? br_handle_local_finish+0x20/0x20 [ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter] [ 57.593348] ? br_handle_local_finish+0x20/0x20 [ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat] [ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter] [ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter] [ 57.595280] br_handle_frame+0x1f3/0x3d0 [ 57.595676] ? br_handle_local_finish+0x20/0x20 [ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0 [ 57.596566] __netif_receive_skb_core+0x25b/0xfc0 [ 57.597017] ? __napi_build_skb+0x37/0x40 [ 57.597418] __netif_receive_skb_list_core+0xfb/0x220 Fixes: 62e7151 ("netfilter: bridge: confirm multicast packets before passing them up the stack") Reported-by: Jianbo Liu <jianbol@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 751de20) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/bridge/br_netfilter_hooks.c # net/bridge/netfilter/nf_conntrack_bridge.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/751de201.failed b/ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/751de201.failed
@@ -0,0 +1,311 @@
+netfilter: br_netfilter: skip conntrack input hook for promisc packets
+
+jira LE-1907
+cve CVE-2024-27415
+Rebuild_History Non-Buildable kernel-5.14.0-427.33.1.el9_4
+commit-author Pablo Neira Ayuso <pablo@netfilter.org>
+commit 751de2012eafa4d46d8081056761fa0e9cc8a178
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.33.1.el9_4/751de201.failed
+
+For historical reasons, when bridge device is in promisc mode, packets
+that are directed to the taps follow bridge input hook path. This patch
+adds a workaround to reset conntrack for these packets.
+
+Jianbo Liu reports warning splats in their test infrastructure where
+cloned packets reach the br_netfilter input hook to confirm the
+conntrack object.
+
+Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has
+reached the input hook because it is passed up to the bridge device to
+reach the taps.
+
+[   57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]
+[   57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core
+[   57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19
+[   57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+[   57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]
+[   57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1
+[   57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202
+[   57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000
+[   57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000
+[   57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003
+[   57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000
+[   57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800
+[   57.582313] FS:  0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000
+[   57.583040] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0
+[   57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
+0000000000000000
+[   57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
+0000000000000400
+[   57.585440] Call Trace:
+[   57.585721]  <IRQ>
+[   57.585976]  ? __warn+0x7d/0x130
+[   57.586323]  ? br_nf_local_in+0x157/0x180 [br_netfilter]
+[   57.586811]  ? report_bug+0xf1/0x1c0
+[   57.587177]  ? handle_bug+0x3f/0x70
+[   57.587539]  ? exc_invalid_op+0x13/0x60
+[   57.587929]  ? asm_exc_invalid_op+0x16/0x20
+[   57.588336]  ? br_nf_local_in+0x157/0x180 [br_netfilter]
+[   57.588825]  nf_hook_slow+0x3d/0xd0
+[   57.589188]  ? br_handle_vlan+0x4b/0x110
+[   57.589579]  br_pass_frame_up+0xfc/0x150
+[   57.589970]  ? br_port_flags_change+0x40/0x40
+[   57.590396]  br_handle_frame_finish+0x346/0x5e0
+[   57.590837]  ? ipt_do_table+0x32e/0x430
+[   57.591221]  ? br_handle_local_finish+0x20/0x20
+[   57.591656]  br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]
+[   57.592286]  ? br_handle_local_finish+0x20/0x20
+[   57.592802]  br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]
+[   57.593348]  ? br_handle_local_finish+0x20/0x20
+[   57.593782]  ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]
+[   57.594279]  br_nf_pre_routing+0x24c/0x550 [br_netfilter]
+[   57.594780]  ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]
+[   57.595280]  br_handle_frame+0x1f3/0x3d0
+[   57.595676]  ? br_handle_local_finish+0x20/0x20
+[   57.596118]  ? br_handle_frame_finish+0x5e0/0x5e0
+[   57.596566]  __netif_receive_skb_core+0x25b/0xfc0
+[   57.597017]  ? __napi_build_skb+0x37/0x40
+[   57.597418]  __netif_receive_skb_list_core+0xfb/0x220
+
+Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
+	Reported-by: Jianbo Liu <jianbol@nvidia.com>
+	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 751de2012eafa4d46d8081056761fa0e9cc8a178)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/bridge/br_netfilter_hooks.c
+#	net/bridge/netfilter/nf_conntrack_bridge.c
+diff --cc net/bridge/br_netfilter_hooks.c
+index 9421c5a097bd,22e35623c148..000000000000
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@@ -538,6 -557,96 +538,99 @@@ static unsigned int br_nf_pre_routing(v
+  	return NF_STOLEN;
+  }
+  
+++<<<<<<< HEAD
+++=======
++ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
++ /* conntracks' nf_confirm logic cannot handle cloned skbs referencing
++  * the same nf_conn entry, which will happen for multicast (broadcast)
++  * Frames on bridges.
++  *
++  * Example:
++  *      macvlan0
++  *      br0
++  *  ethX  ethY
++  *
++  * ethX (or Y) receives multicast or broadcast packet containing
++  * an IP packet, not yet in conntrack table.
++  *
++  * 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.
++  *    -> skb->_nfct now references a unconfirmed entry
++  * 2. skb is broad/mcast packet. bridge now passes clones out on each bridge
++  *    interface.
++  * 3. skb gets passed up the stack.
++  * 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb
++  *    and schedules a work queue to send them out on the lower devices.
++  *
++  *    The clone skb->_nfct is not a copy, it is the same entry as the
++  *    original skb.  The macvlan rx handler then returns RX_HANDLER_PASS.
++  * 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.
++  *
++  * The Macvlan broadcast worker and normal confirm path will race.
++  *
++  * This race will not happen if step 2 already confirmed a clone. In that
++  * case later steps perform skb_clone() with skb->_nfct already confirmed (in
++  * hash table).  This works fine.
++  *
++  * But such confirmation won't happen when eb/ip/nftables rules dropped the
++  * packets before they reached the nf_confirm step in postrouting.
++  *
++  * Work around this problem by explicit confirmation of the entry at
++  * LOCAL_IN time, before upper layer has a chance to clone the unconfirmed
++  * entry.
++  *
++  */
++ static unsigned int br_nf_local_in(void *priv,
++ 				   struct sk_buff *skb,
++ 				   const struct nf_hook_state *state)
++ {
++ 	bool promisc = BR_INPUT_SKB_CB(skb)->promisc;
++ 	struct nf_conntrack *nfct = skb_nfct(skb);
++ 	const struct nf_ct_hook *ct_hook;
++ 	struct nf_conn *ct;
++ 	int ret;
++ 
++ 	if (promisc) {
++ 		nf_reset_ct(skb);
++ 		return NF_ACCEPT;
++ 	}
++ 
++ 	if (!nfct || skb->pkt_type == PACKET_HOST)
++ 		return NF_ACCEPT;
++ 
++ 	ct = container_of(nfct, struct nf_conn, ct_general);
++ 	if (likely(nf_ct_is_confirmed(ct)))
++ 		return NF_ACCEPT;
++ 
++ 	WARN_ON_ONCE(skb_shared(skb));
++ 	WARN_ON_ONCE(refcount_read(&nfct->use) != 1);
++ 
++ 	/* We can't call nf_confirm here, it would create a dependency
++ 	 * on nf_conntrack module.
++ 	 */
++ 	ct_hook = rcu_dereference(nf_ct_hook);
++ 	if (!ct_hook) {
++ 		skb->_nfct = 0ul;
++ 		nf_conntrack_put(nfct);
++ 		return NF_ACCEPT;
++ 	}
++ 
++ 	nf_bridge_pull_encap_header(skb);
++ 	ret = ct_hook->confirm(skb);
++ 	switch (ret & NF_VERDICT_MASK) {
++ 	case NF_STOLEN:
++ 		return NF_STOLEN;
++ 	default:
++ 		nf_bridge_push_encap_header(skb);
++ 		break;
++ 	}
++ 
++ 	ct = container_of(nfct, struct nf_conn, ct_general);
++ 	WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
++ 
++ 	return ret;
++ }
++ #endif
+++>>>>>>> 751de2012eaf (netfilter: br_netfilter: skip conntrack input hook for promisc packets)
+  
+  /* PF_BRIDGE/FORWARD *************************************************/
+  static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
+diff --cc net/bridge/netfilter/nf_conntrack_bridge.c
+index 56efda595b81,c3c51b9a6826..000000000000
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@@ -291,6 -291,36 +291,39 @@@ static unsigned int nf_ct_bridge_pre(vo
+  	return nf_conntrack_in(skb, &bridge_state);
+  }
+  
+++<<<<<<< HEAD
+++=======
++ static unsigned int nf_ct_bridge_in(void *priv, struct sk_buff *skb,
++ 				    const struct nf_hook_state *state)
++ {
++ 	bool promisc = BR_INPUT_SKB_CB(skb)->promisc;
++ 	struct nf_conntrack *nfct = skb_nfct(skb);
++ 	struct nf_conn *ct;
++ 
++ 	if (promisc) {
++ 		nf_reset_ct(skb);
++ 		return NF_ACCEPT;
++ 	}
++ 
++ 	if (!nfct || skb->pkt_type == PACKET_HOST)
++ 		return NF_ACCEPT;
++ 
++ 	/* nf_conntrack_confirm() cannot handle concurrent clones,
++ 	 * this happens for broad/multicast frames with e.g. macvlan on top
++ 	 * of the bridge device.
++ 	 */
++ 	ct = container_of(nfct, struct nf_conn, ct_general);
++ 	if (nf_ct_is_confirmed(ct) || nf_ct_is_template(ct))
++ 		return NF_ACCEPT;
++ 
++ 	/* let inet prerouting call conntrack again */
++ 	skb->_nfct = 0;
++ 	nf_ct_put(ct);
++ 
++ 	return NF_ACCEPT;
++ }
++ 
+++>>>>>>> 751de2012eaf (netfilter: br_netfilter: skip conntrack input hook for promisc packets)
+  static void nf_ct_bridge_frag_save(struct sk_buff *skb,
+  				   struct nf_bridge_frag_data *data)
+  {
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index c729528b5e85..e09000e38d07 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -30,7 +30,7 @@ br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
+ 	return netif_receive_skb(skb);
+ }
+ 
+-static int br_pass_frame_up(struct sk_buff *skb)
++static int br_pass_frame_up(struct sk_buff *skb, bool promisc)
+ {
+ 	struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev;
+ 	struct net_bridge *br = netdev_priv(brdev);
+@@ -65,6 +65,8 @@ static int br_pass_frame_up(struct sk_buff *skb)
+ 	br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb),
+ 			   BR_MCAST_DIR_TX);
+ 
++	BR_INPUT_SKB_CB(skb)->promisc = promisc;
++
+ 	return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
+ 		       dev_net(indev), NULL, skb, indev, NULL,
+ 		       br_netif_receive_skb);
+@@ -82,6 +84,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ 	struct net_bridge_mcast *brmctx;
+ 	struct net_bridge_vlan *vlan;
+ 	struct net_bridge *br;
++	bool promisc;
+ 	u16 vid = 0;
+ 	u8 state;
+ 
+@@ -137,7 +140,9 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ 	if (p->flags & BR_LEARNING)
+ 		br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, 0);
+ 
+-	local_rcv = !!(br->dev->flags & IFF_PROMISC);
++	promisc = !!(br->dev->flags & IFF_PROMISC);
++	local_rcv = promisc;
++
+ 	if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) {
+ 		/* by definition the broadcast is also a multicast address */
+ 		if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) {
+@@ -200,7 +205,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ 		unsigned long now = jiffies;
+ 
+ 		if (test_bit(BR_FDB_LOCAL, &dst->flags))
+-			return br_pass_frame_up(skb);
++			return br_pass_frame_up(skb, false);
+ 
+ 		if (now != dst->used)
+ 			dst->used = now;
+@@ -213,7 +218,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ 	}
+ 
+ 	if (local_rcv)
+-		return br_pass_frame_up(skb);
++		return br_pass_frame_up(skb, promisc);
+ 
+ out:
+ 	return 0;
+@@ -386,6 +391,8 @@ static rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
+ 				goto forward;
+ 		}
+ 
++		BR_INPUT_SKB_CB(skb)->promisc = false;
++
+ 		/* The else clause should be hit when nf_hook():
+ 		 *   - returns < 0 (drop/error)
+ 		 *   - returns = 0 (stolen/nf_queue)
+* Unmerged path net/bridge/br_netfilter_hooks.c
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index ed200884afd2..1c7a03c54d17 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -582,6 +582,7 @@ struct br_input_skb_cb {
+ #endif
+ 	u8 proxyarp_replied:1;
+ 	u8 src_port_isolated:1;
++	u8 promisc:1;
+ #ifdef CONFIG_BRIDGE_VLAN_FILTERING
+ 	u8 vlan_filtered:1;
+ #endif
+* Unmerged path net/bridge/netfilter/nf_conntrack_bridge.c
