From 9bf7728b3bacb05cf63d8f09a2d64235e311d2f7 Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Thu, 21 Jul 2022 06:54:43 +0000 Subject: [PATCH] FROMLIST: xfrm: Ensure policy checked for nested ESP tunnels This change ensures that all nested XFRM packets have their policy checked before decryption of the next layer, so that policies are verified at each intermediate step of the decryption process. Notably, raw ESP/AH packets do not perform policy checks inherently, whereas all other encapsulated packets (UDP, TCP encapsulated) do policy checks after calling xfrm_input handling in the respective encapsulation layer. This is necessary especially for nested tunnels, as the IP addresses, protocol and ports may all change, thus not matching the previous policies. In order to ensure that packets match the relevant inbound templates, the xfrm_policy_check should be done before handing off to the inner XFRM protocol to decrypt and decapsulate. In order to prevent double-checking packets both here and in the encapsulation layers, this check is currently limited to nested tunnel-mode transforms and checked prior to decapsulation of inner tunnel layers (prior to hitting a nested tunnel's xfrm_input, there is no great way to detect a nested tunnel). This is primarily a performance consideration, as a general blanket check at the end of xfrm_input would suffice, but may result in multiple policy checks. Bug: 236423446 Bug: 277711867 Test: Tested against Android Kernel Unit Tests Link: https://lore.kernel.org/netdev/20220824221252.4130836-3-benedictwong@google.com/ Signed-off-by: Benedict Wong (cherry picked from commit b5bf2997c3438528631ce0e945884927fbe751ae) Merged-In: I20c5abf39512d7f6cf438c0921a78a84e281b4e9 Change-Id: I20c5abf39512d7f6cf438c0921a78a84e281b4e9 --- net/xfrm/xfrm_input.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 7c5958a2eed4..05268359cffe 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -585,6 +585,20 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto drop; } + /* If nested tunnel, check outer states before context is lost. + * Only nested tunnels need to be checked, since IP addresses change + * as a result of the tunnel mode decapsulation. Similarly, this check + * is limited to nested tunnels to avoid performing another policy + * check on non-nested tunnels. On success, this check also updates the + * secpath's verified_cnt variable, skipping future verifications of + * previously-verified secpath entries. + */ + if ((x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL) && + sp->verified_cnt < sp->len && + !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) { + goto drop; + } + skb->mark = xfrm_smark_get(skb->mark, x); sp->xvec[sp->len++] = x;