lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 7 Oct 2016 10:07:58 +0100
From:   Wei Liu <wei.liu2@...rix.com>
To:     Paul Durrant <paul.durrant@...rix.com>
CC:     <netdev@...r.kernel.org>, <xen-devl@...ts.xenproject.org>,
        Wei Liu <wei.liu2@...rix.com>
Subject: Re: [PATCH v2 net] xen-netback: make sure that hashes are not send
 to unaware frontends

On Fri, Oct 07, 2016 at 09:32:31AM +0100, Paul Durrant wrote:
> In the case when a frontend only negotiates a single queue with xen-
> netback it is possible for a skbuff with a s/w hash to result in a
> hash extra_info segment being sent to the frontend even when no hash
> algorithm has been configured. (The ndo_select_queue() entry point makes
> sure the hash is not set if no algorithm is configured, but this entry
> point is not called when there is only a single queue). This can result
> in a frontend that is unable to handle extra_info segments being given
> such a segment, causing it to crash.
> 
> This patch fixes the problem by clearing the hash in ndo_start_xmit()
> instead, which is clearly guaranteed to be called irrespective of the
> number of queues.
> 
> Signed-off-by: Paul Durrant <paul.durrant@...rix.com>
> Cc: Wei Liu <wei.liu2@...rix.com>

Acked-by: Wei Liu <wei.liu2@...rix.com>

> ---
> 
> v2:
>  - Simplified and re-based onto re-factored net branch
> ---
>  drivers/net/xen-netback/interface.c | 20 +++++++++-----------
>  1 file changed, 9 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
> index 4af532a..74dc2bf 100644
> --- a/drivers/net/xen-netback/interface.c
> +++ b/drivers/net/xen-netback/interface.c
> @@ -149,17 +149,8 @@ static u16 xenvif_select_queue(struct net_device *dev, struct sk_buff *skb,
>  	struct xenvif *vif = netdev_priv(dev);
>  	unsigned int size = vif->hash.size;
>  
> -	if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE) {
> -		u16 index = fallback(dev, skb) % dev->real_num_tx_queues;
> -
> -		/* Make sure there is no hash information in the socket
> -		 * buffer otherwise it would be incorrectly forwarded
> -		 * to the frontend.
> -		 */
> -		skb_clear_hash(skb);
> -
> -		return index;
> -	}
> +	if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
> +		return fallback(dev, skb) % dev->real_num_tx_queues;
>  
>  	xenvif_set_skb_hash(vif, skb);
>  
> @@ -208,6 +199,13 @@ static int xenvif_start_xmit(struct sk_buff *skb, struct net_device *dev)
>  	cb = XENVIF_RX_CB(skb);
>  	cb->expires = jiffies + vif->drain_timeout;
>  
> +	/* If there is no hash algorithm configured then make sure there
> +	 * is no hash information in the socket buffer otherwise it
> +	 * would be incorrectly forwarded to the frontend.
> +	 */
> +	if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
> +		skb_clear_hash(skb);
> +
>  	xenvif_rx_queue_tail(queue, skb);
>  	xenvif_kick_thread(queue);
>  
> -- 
> 2.1.4
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ