| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Mar 2019 11:11:05 +0100
From: Björn Töpel <bjorn.topel@...il.com>
To: Maciej Fijalkowski <maciejromanfijalkowski@...il.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Netdev <netdev@...r.kernel.org>,
Björn Töpel <bjorn.topel@...el.com>,
"Karlsson, Magnus" <magnus.karlsson@...el.com>,
Magnus Karlsson <magnus.karlsson@...il.com>,
bpf <bpf@...r.kernel.org>
Subject: Re: [PATCH bpf 1/2] xsk: fix to reject invalid flags in xsk_bind
On Fri, 8 Mar 2019 at 11:00, Maciej Fijalkowski
<maciejromanfijalkowski@...il.com> wrote:
>
> On Fri, 8 Mar 2019 08:57:26 +0100
> Björn Töpel <bjorn.topel@...il.com> wrote:
>
> > From: Björn Töpel <bjorn.topel@...el.com>
> >
> > Passing a non-existing flag in the sxdp_flags member of struct
> > sockaddr_xdp was, incorrectly, silently ignored. This patch addresses
> > that behavior, and rejects any non-existing flags.
> >
> > We have examined existing user space code, and to our best knowledge,
> > no one is relying on the current incorrect behavior. AF_XDP is still
> > in its infancy, so from our perspective, the risk of breakage is very
> > low, and addressing this problem now is important.
> >
> > Fixes: 965a99098443 ("xsk: add support for bind for Rx")
> > Signed-off-by: Björn Töpel <bjorn.topel@...el.com>
> > ---
> > net/xdp/xsk.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> > index 6697084e3fdf..a14e8864e4fa 100644
> > --- a/net/xdp/xsk.c
> > +++ b/net/xdp/xsk.c
> > @@ -407,6 +407,10 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
> > if (sxdp->sxdp_family != AF_XDP)
> > return -EINVAL;
> >
> > + flags = sxdp->sxdp_flags;
> > + if (flags & ~(XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY))
> > + return -EINVAL;
> > +
>
> What about setting more than one flag at a time? Is it allowed/make any sense?
> After a quick look it seems that they exclude each other, e.g. you can't force
> a zero copy and copy mode at the same time. And for XDP_SHARED_UMEM two
> remaining flags can't be set.
>
> So maybe check here also that only one particular flag is set by doing:
>
> if (hweight32(flags & (XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY)) > 1)
> return -EINVAL;
>
> just like we do it for IFLA_XDP_FLAGS in net/core/rtnetlink.c?
>
We have flag semantic checks further down, and my rational was to
*only* check unknown flags first. IMO the current patch is easier to
understand, than your suggested one.
Thanks for taking a look!
Cheers,
Björn
> > mutex_lock(&xs->mutex);
> > if (xs->dev) {
> > err = -EBUSY;
> > @@ -425,7 +429,6 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
> > }
> >
> > qid = sxdp->sxdp_queue_id;
> > - flags = sxdp->sxdp_flags;
> >
> > if (flags & XDP_SHARED_UMEM) {
> > struct xdp_sock *umem_xs;
>
Powered by blists - more mailing lists