CT state not reset when packet redirected to different port

Bug #1940448 reported by Bodong Wang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-bluefield (Ubuntu)
Undecided
Unassigned
Focal
Medium
Bodong Wang

Bug Description

* Explain the bug(s)

CT state not reset when packet redirected to different port, thus
making it possible to match rules with wrong ct state on the other port.

* brief explanation of fixes

Reset ct state when redirecting to a different port.
The sauce fix being reverted and should apply the upstream fix to catch all cases correctly.

* How to test

tc qdisc add dev veth0 clsact
# The same with "action mirred egress mirror dev veth1" or "action mirred ingress redirect dev veth1"
tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action mirred ingress mirror dev veth1
tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action ct commit action goto chain 1
tc qdisc add dev veth1 clsact
tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action drop

ping <remove ip via veth0> &
tc -s filter show dev veth1 ingress

With command 'tc -s filter show', we can find the pkts were dropped on veth1.

* What it could break.

Wrong matching. Traffic failure when redirecting to different ports and there are more
rules to match on the other port.

CVE References

Stefan Bader (smb)
Changed in linux-bluefield (Ubuntu Focal):
assignee: nobody → Bodong Wang (bodong-wang)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-bluefield (Ubuntu):
status: New → Invalid
Changed in linux-bluefield (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1019.22 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (95.1 KiB)

This bug was fixed in the package linux-bluefield - 5.4.0-1019.22

---------------
linux-bluefield (5.4.0-1019.22) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1019.22 -proposed tracker (LP: #1942533)

  * Focal update: v5.4.134 upstream stable release (LP: #1939440)
    - [Config] bluefield: CONFIG_BATTERY_RT5033=m

  * Fix fragmentation support for TC connection tracking (LP: #1940872)
    - net/sched: act_ct: fix restore the qdisc_skb_cb after defrag
    - net/sched: act_ct: fix miss set mru for ovs after defrag in act_ct
    - net/sched: fix miss init the mru in qdisc_skb_cb
    - net/sched: act_ct: fix wild memory access when clearing fragments
    - Revert "net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments()
      error flow"
    - net/sched: act_mirred: refactor the handle of xmit
    - net/sched: The error lable position is corrected in ct_init_module
    - net/sched: sch_frag: add generic packet fragment support.
    - ipv6: add ipv6_fragment hook in ipv6_stub

  * Add the upcoming BlueField-3 device ID (LP: #1941803)
    - net/mlx5: Update the list of the PCI supported devices

  * CT state not reset when packet redirected to different port (LP: #1940448)
    - Revert "UBUNTU: SAUCE: net/sched: act_mirred: Reset ct when reinserting skb
      back into queue"
    - net: sched: act_mirred: Reset ct info when mirror/redirect skb

  * Export xfrm_policy_lookup_bytype function (LP: #1934313)
    - SAUCE: xfrm: IPsec Export xfrm_policy_lookup_bytype function

  [ Ubuntu: 5.4.0-85.95 ]

  * focal/linux: 5.4.0-85.95 -proposed tracker (LP: #1942557)
  * please drop virtualbox-guest-dkms virtualbox-guest-source (LP: #1933248)
    - [Config] Disable virtualbox dkms build
  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.06)
  * LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions
  * disable “CONFIG_HISI_DMA” config for ubuntu version (LP: #1936771)
    - Disable CONFIG_HISI_DMA
    - [Config] Record hisi_dma no longer built for arm64
  * memory leaking when removing a profile (LP: #1939915)
    - apparmor: Fix memory leak of profile proxy
  * CryptoExpress EP11 cards are going offline (LP: #1939618)
    - s390/zcrypt: Support for CCA protected key block version 2
    - s390: Replace zero-length array with flexible-array member
    - s390/zcrypt: Use scnprintf() for avoiding potential buffer overflow
    - s390/zcrypt: replace snprintf/sprintf with scnprintf
    - s390/ap: Remove ap device suspend and resume callbacks
    - s390/zcrypt: use fallthrough;
    - s390/zcrypt: use kvmalloc instead of kmalloc for 256k alloc
    - s390/ap: remove power management code from ap bus and drivers
    - s390/ap: introduce new ap function ap_get_qdev()
    - s390/zcrypt: use kzalloc
    - s390/zcrypt: fix smatch warnings
    - s390/zcrypt: code beautification and struct field renames
    - s390/zcrypt: split ioctl function into smaller code units
    - s390/ap: rename and clarify ap state machine related stuff
    - s390/zcrypt: provide cex4 cca sysfs attributes for cex3
    - s390/ap: rework cry...

Changed in linux-bluefield (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers