hsr: netlink notifications leak across network namespaces

[Maoyi Xie]

Hi all,

(Resending from a personal address. My previous attempt from
my NTU corporate account carried an auto-appended confidentiality
disclaimer that you've declined to accept. The content below is
unchanged.)

I noticed what looks like a cross-namespace leak in
net/hsr/hsr_netlink.c on linux-7.1-rc1. Could you confirm if this
is a real defect, and worth fixing?

# Where it is

net/hsr/hsr_netlink.c line 250 in hsr_nl_ringerror()
net/hsr/hsr_netlink.c line 287 in hsr_nl_nodedown()

Both call genlmsg_multicast(&hsr_genl_family, skb, 0, 0, GFP_ATOMIC).

# What looks wrong

hsr_genl_family is registered with .netnsok = true (line 557),
so HSR devices can live in non-init network namespaces. But
genlmsg_multicast() delivers on the kernel default generic
netlink socket. That socket lives in init_net. Events from any
HSR device end up there, regardless of which network namespace
the device sits in.

Other .netnsok = true networking subsystems use
genlmsg_multicast_netns() instead. Examples:

  drivers/net/gtp.c
  drivers/net/ovpn/netlink.c
  drivers/net/team/team_core.c
  net/batman-adv/netlink.c
  net/core/netdev-genl.c
  net/ethtool/netlink.c
  net/handshake/netlink.c

# Two effects

1. A privileged listener in init_net subscribed to the
  "hsr-network" group receives ring-error and node-down events
   for HSR devices in any network namespace. The payload carries
   the peer MAC (HSR_A_NODE_ADDR) and the slave port ifindex
   (HSR_A_IFINDEX). Looks like a cross-namespace information
   leak.

2. A listener inside the HSR device's own network namespace
   never sees its own events. Functional defect for any
   namespaced HSR consumer.

# How I tested

Attached proof of concept sets up vethA0/vethB0 with hsr1 in
init_net and vethA1/vethB1 with hsr0 in a child network
namespace. Veth pairs bridge the namespace boundary. Both HSRs
talk for 4 seconds so node tables fill. Then vethA0/vethB0 go
down. Each side's prune timer fires hsr_nl_nodedown() for the
peer MAC. Two listeners report what they got.

Vanilla linux-7.1-rc1:
    init_net          received 2 HSR notifications
    child namespace   received 0 HSR notifications

With genlmsg_multicast_netns() routed via
dev_net(master->dev) and dev_net(port->dev):
    init_net          received 1 HSR notification    (hsr1's event)
    child namespace   received 1 HSR notification    (hsr0's event)

The proof of concept source poc_hsr_pernet.c and the run log
poc_hsr_pernet.log are attached. The proof of concept build
overrides HSR_NODE_FORGET_TIME from 60000 ms to 3000 ms to
keep wall clock short; the bug shape is the same at the
stock 60 s.

If you confirm this is a real bug, I have a small patch ready
that switches the two callers to genlmsg_multicast_netns().
Please let me know if you would like me to send it as a
follow-up.

Thanks,
Maoyi
--
Nanyang Technological University
https://maoyixie.com/

Attachment: poc_hsr_pernet.log
Description: Binary data

Attachment: poc_hsr_pernet.c
Description: Binary data