| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F6FB0E698C9B3143BDF729DF222866469129BC03@ORSMSX110.amr.corp.intel.com> Date: Wed, 21 Jan 2015 20:27:49 +0000 From: "Skidmore, Donald C" <donald.c.skidmore@...el.com> To: Hiroshi Shimamoto <h-shimamoto@...jp.nec.com>, David Laight <David.Laight@...LAB.COM>, Bjørn Mork <bjorn@...k.no> CC: "e1000-devel@...ts.sourceforge.net" <e1000-devel@...ts.sourceforge.net>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Choi, Sy Jong" <sy.jong.choi@...el.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Hayato Momma <h-momma@...jp.nec.com> Subject: RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous mode control > -----Original Message----- > From: Hiroshi Shimamoto [mailto:h-shimamoto@...jp.nec.com] > Sent: Wednesday, January 21, 2015 4:18 AM > To: David Laight; Skidmore, Donald C; Bjørn Mork > Cc: e1000-devel@...ts.sourceforge.net; netdev@...r.kernel.org; Choi, Sy > Jong; linux-kernel@...r.kernel.org; Hayato Momma > Subject: RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast promiscuous > mode control > > > Subject: RE: [E1000-devel] [PATCH 1/2] if_link: Add VF multicast > > promiscuous mode control > > > > From: Hiroshi Shimamoto > > > My concern is what is the real issue that VF multicast promiscuous mode > can cause. > > > I think there is the 4k entries to filter multicast address, and the > > > current ixgbe/ixgbevf can turn all bits on from VM. That is almost same as > enabling multicast promiscuous mode. > > > I mean that we can receive all multicast addresses by an onerous > operation in untrusted VM. > > > I think we should clarify what is real security issue in this context. > > > > If you are worried about passing un-enabled multicasts to users then > > what about doing a software hash of received multicasts and checking > > against an actual list of multicasts enabled for that hash entry. > > Under normal conditions there is likely to be only a single address to check. > > > > It may (or may not) be best to use the same hash as any hashing > > hardware filter uses. > > thanks for the comment. But I don't think that is the point. > > I guess, introducing VF multicast promiscuous mode seems to add new > privilege to peek every multicast packet in VM and that doesn't look good. > On the other hand, I think that there has been the same privilege in the > current ixgbe/ixgbevf implementation already. Or I'm reading the code > wrongly. > I'd like to clarify what is the issue of allowing to receive all multicast packets. Allowing a VM to give itself the privilege of seeing every multicast packet could be seen as a hole in VM isolation. Now if the host system allows this policy I don't see this as an issue as someone specifically allowed this to happen and then must not be concerned. We could even log that it has occurred, which I believe your patch did do. The issue is also further muddied, as you mentioned above, since some of these multicast packets are leaking anyway (the HW currently uses a 12 bit mask). It's just that this change would greatly enlarge that hole from a fraction to all multicast packets. > > thanks, > Hiroshi
Powered by blists - more mailing lists