lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 7 Nov 2018 12:06:48 -0700
From:   David Ahern <dsahern@...il.com>
To:     Mike Manning <mmanning@...tta.att-mail.com>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next v5 3/9] net: ensure unbound datagram socket to be
 chosen when not in a VRF

On 11/7/18 8:36 AM, Mike Manning wrote:
> Ensure an unbound datagram skt is chosen when not in a VRF. The check
> for a device match in compute_score() for UDP must be performed when
> there is no device match. For this, a failure is returned when there is
> no device match. This ensures that bound sockets are never selected,
> even if there is no unbound socket.
> 
> Allow IPv6 packets to be sent over a datagram skt bound to a VRF. These
> packets are currently blocked, as flowi6_oif was set to that of the
> master vrf device, and the ipi6_ifindex is that of the slave device.
> Allow these packets to be sent by checking the device with ipi6_ifindex
> has the same L3 scope as that of the bound device of the skt, which is
> the master vrf device. Note that this check always succeeds if the skt
> is unbound.
> 
> Even though the right datagram skt is now selected by compute_score(),
> a different skt is being returned that is bound to the wrong vrf. The
> difference between these and stream sockets is the handling of the skt
> option for SO_REUSEPORT. While the handling when adding a skt for reuse
> correctly checks that the bound device of the skt is a match, the skts
> in the hashslot are already incorrect. So for the same hash, a skt for
> the wrong vrf may be selected for the required port. The root cause is
> that the skt is immediately placed into a slot when it is created,
> but when the skt is then bound using SO_BINDTODEVICE, it remains in the
> same slot. The solution is to move the skt to the correct slot by
> forcing a rehash.
> 
> Signed-off-by: Mike Manning <mmanning@...tta.att-mail.com>
> ---
>  include/net/udp.h   | 11 +++++++++++
>  net/core/sock.c     |  2 ++
>  net/ipv4/udp.c      | 15 ++++++---------
>  net/ipv6/datagram.c | 10 +++++++---
>  net/ipv6/udp.c      | 14 +++++---------
>  5 files changed, 31 insertions(+), 21 deletions(-)

Reviewed-by: David Ahern <dsahern@...il.com>
Tested-by: David Ahern <dsahern@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ