lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <942f99e9-086d-25dc-e008-8de2c5c721b1@virtuozzo.com>
Date:   Wed, 7 Feb 2018 16:20:01 +0300
From:   Kirill Tkhai <ktkhai@...tuozzo.com>
To:     Christian Brauner <christian.brauner@...ntu.com>,
        netdev@...r.kernel.org
Cc:     stephen@...workplumber.org, w.bumiller@...xmox.com,
        ebiederm@...ssion.com, jbenc@...hat.com, nicolas.dichtel@...nd.com,
        linux-kernel@...r.kernel.org, dsahern@...il.com,
        davem@...emloft.net
Subject: Re: [PATCH net 1/1 v4] rtnetlink: require unique netns identifier



On 07.02.2018 15:53, Christian Brauner wrote:
> Since we've added support for IFLA_IF_NETNSID for RTM_{DEL,GET,SET,NEW}LINK
> it is possible for userspace to send us requests with three different
> properties to identify a target network namespace. This affects at least
> RTM_{NEW,SET}LINK. Each of them could potentially refer to a different
> network namespace which is confusing. For legacy reasons the kernel will
> pick the IFLA_NET_NS_PID property first and then look for the
> IFLA_NET_NS_FD property but there is no reason to extend this type of
> behavior to network namespace ids. The regression potential is quite
> minimal since the rtnetlink requests in question either won't allow
> IFLA_IF_NETNSID requests before 4.16 is out (RTM_{NEW,SET}LINK) or don't
> support IFLA_NET_NS_{PID,FD} (RTM_{DEL,GET}LINK) in the first place.
> 
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
> ---
> ChangeLog v3->v4:
> * Based on discussions with Eric and Jiri: disallow passing multiple network
>   namespace identifying properties for all requests, i.e. always enforce
>   uniqueness.
> * disable passing IFLA_NET_NS_{FD,PID} for RTM_{DEL,GET}LINK completely since
>   they never supported it
> ChangeLog v2->v3:
> * Specifying target network namespaces with pids or fds seems racy since the
>   process might die and the pid get recycled or the process does a setns() in
>   which case the tests would be invalid. So only check whether multiple
>   properties are specified and report a helpful error in this case.
> ChangeLog v1->v2:
> * return errno when the specified network namespace id is invalid
> * fill in struct netlink_ext_ack if the network namespace id is invalid
> * rename rtnl_ensure_unique_netns_attr() to rtnl_ensure_unique_netns() to
>   indicate that a request without any network namespace identifying attributes
>   is also considered valid.
> ChangeLog v0->v1:
> * report a descriptive error to userspace via struct netlink_ext_ack
> * do not fail when multiple properties specifiy the same network namespace
> ---
>  net/core/rtnetlink.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 48 insertions(+)
> 
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 56af8e41abfc..bc290413a49d 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -1951,6 +1951,38 @@ static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb,
>  	return net;
>  }
>  
> +/* Verify that rtnetlink requests do not pass additional properties
> + * potentially referring to different network namespaces.
> + */
> +static int rtnl_ensure_unique_netns(struct nlattr *tb[],
> +				    struct netlink_ext_ack *extack,
> +				    bool netns_id_only)
> +{
> +
> +	if (netns_id_only) {
> +		if (!tb[IFLA_NET_NS_PID] && !tb[IFLA_NET_NS_FD])
> +			return 0;
> +
> +		NL_SET_ERR_MSG(extack, "specified netns attribute not supported");
> +		return -EOPNOTSUPP;
> +	}
> +
> +	if (tb[IFLA_IF_NETNSID] && (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]))
> +		goto invalid_attr;
> +
> +	if (tb[IFLA_NET_NS_PID] && (tb[IFLA_IF_NETNSID] || tb[IFLA_NET_NS_FD]))
> +		goto invalid_attr;
> +
> +	if (tb[IFLA_NET_NS_FD] && (tb[IFLA_IF_NETNSID] || tb[IFLA_NET_NS_PID]))
> +		goto invalid_attr;

Can't we write these 3 above branches more compact? Something like this:

	if (!!tb[IFLA_NET_NS_FD] + !!tb[IFLA_IF_NETNSID] + !!tb[IFLA_NET_NS_PID] <= 1)
		return 0;

Also, do we really need two different error values and error messages?

Kirill

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ