Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid panic when counting IPsec keys #27996

Merged
merged 1 commit into from Sep 12, 2023
Merged

Avoid panic when counting IPsec keys #27996

merged 1 commit into from Sep 12, 2023

Conversation

jschwinger233
Copy link
Member

@jschwinger233 jschwinger233 commented Sep 7, 2023
edited

When executing cilium encrypt status, cilium-agent lists xfrm states and counts number of different AEAD keys. However, cilium-agent panics if there is any xfrm state using non-AEAD algorithm. These unexpected xfrm states could be installed by other applications.

To reproduce the panic, we can manually install one by running command:

ip x s a src 1.1.1.1 dst 1.1.1.2 proto esp spi 0x3 reqid 1 mode tunnel enc aes 0xf0e1d2c3b4a5f60708090a0b0c0d0e0f

Then cilium encrypt status crashes.

This patch fixes it.

Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status".

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 7, 2023
@jschwinger233 jschwinger233 added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Sep 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 7, 2023
@jschwinger233 jschwinger233 added area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. labels Sep 7, 2023
@jschwinger233 jschwinger233 marked this pull request as ready for review September 7, 2023 13:33
@jschwinger233 jschwinger233 requested review from a team as code owners September 7, 2023 13:33
margamanterola
margamanterola approved these changes Sep 7, 2023
View reviewed changes
Copy link
Member

@margamanterola margamanterola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jschwinger233
Avoid panic when counting IPsec keys number
3b63a5b 
When executing `cilium encrypt status`, cilium-agent lists xfrm states
and counts number of different AEAD keys. However, cilium-agent panics
if there is any xfrm state using non-AEAD algorithm. These unexpected
xfrm states could be installed by other applications.

To reproduce the panic, we can manually install one by running command:

```
ip x s a src 1.1.1.1 dst 1.1.1.2 proto esp spi 0x3 reqid 1 mode tunnel enc aes 0xf0e1d2c3b4a5f60708090a0b0c0d0e0f
```

Then `cilium encrypt status` crashes.

This patch fixes it.

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
@jschwinger233
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 12, 2023
@julianwiedmann julianwiedmann merged commit 85481c4 into cilium:main Sep 12, 2023
60 of 61 checks passed
@julianwiedmann
Copy link
Member

@jschwinger233 given this is a bugfix, should we add backport labels? And if so, how far back?

@julianwiedmann julianwiedmann added the kind/bug This is a bug in the Cilium logic. label Sep 12, 2023
@jschwinger233 jschwinger233 added backport/1.12 This PR represents a backport for Cilium 1.12.x of a PR that was merged to main. backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. labels Sep 12, 2023
@jschwinger233
Copy link
Member Author

@jschwinger233 given this is a bugfix, should we add backport labels? And if so, how far back?

Added backport labels for 1.12, 1.13 and 1.14

@margamanterola margamanterola removed backport/1.12 This PR represents a backport for Cilium 1.12.x of a PR that was merged to main. backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. labels Sep 12, 2023
@margamanterola margamanterola added needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch and removed backport/1.14 This PR represents a backport for Cilium 1.14.x of a PR that was merged to main. labels Sep 12, 2023
@margamanterola
Copy link
Member

The right labels are "needs-backport/1.x". Fixed now.

@doniacld doniacld mentioned this pull request Sep 22, 2023
Merged
10 tasks
@doniacld doniacld added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Sep 22, 2023
@giorio94 giorio94 mentioned this pull request Sep 26, 2023
Merged
22 tasks
@giorio94 giorio94 added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Sep 26, 2023
@giorio94 giorio94 mentioned this pull request Sep 26, 2023
Merged
12 tasks
@aanm aanm added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. backport-pending/1.12 labels Sep 29, 2023
This was referenced Oct 17, 2023
Merged
Merged
Merged
@jschwinger233 jschwinger233 mentioned this pull request Nov 21, 2023
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@asauber asauber asauber approved these changes

@margamanterola margamanterola margamanterola approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@jschwinger233 @julianwiedmann @margamanterola @brb @asauber @aanm @doniacld @giorio94