[SRU][CVE-2020-25645][Xenial][PATCH 0/1] geneve: add transport ports in route lookup for geneve

[William Breathitt Gray]

SRU Justification
=================

[Impact]

A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic
between two Geneve endpoints may be unencrypted when IPsec is configured
to encrypt traffic for the specific UDP port used by the GENEVE tunnel
allowing anyone between the two endpoints to read the traffic
unencrypted. The main threat from this vulnerability is to data
confidentiality.

[Testing]

This can be tested by configuring a host-host VPN using an IKE
daemon and specifying port numbers. For example, for an
Openswan-type configuration, the following parameters should be
configured on both hosts and IPsec set up as-per normal:

$ cat /etc/ipsec.conf

conn in
...
left=$IP1
right=$IP2
...
leftprotoport=udp/6081
rightprotoport=udp
...
conn out
...
left=$IP1
right=$IP2
...
leftprotoport=udp
rightprotoport=udp/6081
...

The tunnel can then be setup using "ip" on both hosts (but
changing the relevant IP addresses):

$ ip link add tun type geneve id 1000 remote $IP2
$ ip addr add 192.168.0.1/24 dev tun
$ ip link set tun up

This can then be tested by pinging from $IP1:

$ ping 192.168.0.2

Without this patch the traffic is unencrypted on the wire.

[Regression Potential]

Regression potentional is very low. Changes only touch the
drivers/net/geneve.c file, and consists of minor context adjustments and
simply storing the source and desitination ports in the fl4 data
structure.

[Miscellaneous]

Fix is already available in Bionic, Focal, and Groovy.

Mark Gray (1):
  geneve: add transport ports in route lookup for geneve

 drivers/net/geneve.c | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

-- 
2.25.1