dev_forward_skb: do not scrub skb mark within the same name space
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Nicolas Dichtel | ||
Bionic |
Fix Released
|
Medium
|
Nicolas Dichtel | ||
Focal |
Fix Released
|
Medium
|
Nicolas Dichtel | ||
Hirsute |
Fix Released
|
Medium
|
Nicolas Dichtel | ||
Impish |
Fix Released
|
Medium
|
Nicolas Dichtel |
Bug Description
[Impact]
The ebpf function 'bpf_redirect' reset the mark when used with the flag BPF_F_INGRESS.
There are two main problems with that:
- it's not consistent between legacy tunnels and ebpf;
- it's not consistent between ingress and egress.
In fact, the eBPF program can easily reset the mark, but it cannot preserve it.
This kind of patch was already done in the past, see commit 963a88b31ddb ("tunnels: harmonize cleanup done on skb on xmit path"), commit ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") and commit 213dd74aee76 ("skbuff: Do not scrub skb mark within the same name space").
This is fixed upstream with commit ff70202b2d1a ("dev_forward_skb: do not scrub skb mark within the same name space").
https:/
[Test Case]
Mark a packet in the POSTROUTING hook, redirect it to another interface and display it with a netfilter log rule to check the mark.
[Regression Potential]
A user could expect that the mark is reset after a call to bpf_redirect(
CVE References
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in linux (Ubuntu Impish): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Nicolas Dichtel (nicolas-dichtel) |
Changed in linux (Ubuntu Focal): | |
assignee: | nobody → Nicolas Dichtel (nicolas-dichtel) |
Changed in linux (Ubuntu Hirsute): | |
assignee: | nobody → Nicolas Dichtel (nicolas-dichtel) |
Changed in linux (Ubuntu Impish): | |
assignee: | nobody → Nicolas Dichtel (nicolas-dichtel) |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Hirsute): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done-hirsute removed: verification-needed-hirsute |
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- hirsute' to 'verification- done-hirsute' . If the problem still exists, change the tag 'verification- needed- hirsute' to 'verification- failed- hirsute' .
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!