lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 8 Dec 2019 11:33:13 +0100
From:   Geert Uytterhoeven <geert@...ux-m68k.org>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     Stephen Rothwell <sfr@...b.auug.org.au>,
        David Miller <davem@...emloft.net>,
        Networking <netdev@...r.kernel.org>,
        Linux Next Mailing List <linux-next@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        NetFilter <netfilter-devel@...r.kernel.org>,
        Jiri Pirko <jiri@...lanox.com>,
        Jozsef Kadlecsik <kadlec@...filter.org>,
        Florian Westphal <fw@...len.de>
Subject: Re: nf_flow on big-endian (was: Re: linux-next: build warning after
 merge of the net-next tree)

Hi Pablo,

On Sat, Dec 7, 2019 at 5:41 PM Pablo Neira Ayuso <pablo@...filter.org> wrote:
> On Tue, Nov 26, 2019 at 12:06:03PM +0100, Geert Uytterhoeven wrote:
> > On Thu, Nov 21, 2019 at 8:36 AM Stephen Rothwell <sfr@...b.auug.org.au> wrote:
> > > After merging the net-next tree, today's linux-next build (powerpc
> > > allyesconfig) produced this warning:
> > >
> > > net/netfilter/nf_flow_table_offload.c: In function 'nf_flow_rule_match':
> > > net/netfilter/nf_flow_table_offload.c:80:21: warning: unsigned conversion from 'int' to '__be16' {aka 'short unsigned int'} changes value from '327680' to '0' [-Woverflow]
> > >    80 |   mask->tcp.flags = TCP_FLAG_RST | TCP_FLAG_FIN;
> > >       |                     ^~~~~~~~~~~~
> > >
> > > Introduced by commit
> > >
> > >   c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
> >
> > This is now upstream, and must be completely broken on big-endian
> > platforms.
> >
> > The other user of the flags field looks buggy, too
> > (net/core/flow_dissector.c:__skb_flow_dissect_tcp()[*]):
> >
> >      key_tcp->flags = (*(__be16 *) &tcp_flag_word(th) & htons(0x0FFF));
> >
> > Disclaimer: I'm not familiar with the code or protocol, so below are just
> > my gut feelings.
> >
> >      struct flow_dissector_key_tcp {
> >             __be16 flags;
> >     };
> >
> > Does this have to be __be16, i.e. does it go over the wire?
> > If not, this should probably be __u16, and set using
> > "be32_to_cpu(flags) >> 16"?
> > If yes, "cpu_to_be16(be32_to_cpu(flags) >> 16)"?
> > (Ugh, needs convenience macros)
> >
> > [*] ac4bb5de27010e41 ("net: flow_dissector: add support for dissection
> > of tcp flags")
>
> I'm attaching a tentative patch, please let me know this is fixing up
> this issue there.

Thanks, this looks good to me, and fixes the build warning.
For this localized change (not for the global interaction), with the nits
below fixed:
Reviewed-by: Geert Uytterhoeven <geert@...ux-m68k.org>

> --- a/include/net/flow_dissector.h
> +++ b/include/net/flow_dissector.h
> @@ -189,10 +189,17 @@ struct flow_dissector_key_eth_addrs {
>
>  /**
>   * struct flow_dissector_key_tcp:
> - * @flags: flags
> + * @flags: TCP flags (16-bit, including the initial Data offset field bits)

@pad?

> + * @word: Data offset + reserved bits + TCP flags + window

flag_word

>   */
>  struct flow_dissector_key_tcp {
> -     __be16 flags;
> +     union {
> +             struct {
> +                     __be16 flags;
> +                     __be16 __pad;
> +             };
> +             __be32  flag_word;
> +     };
>  };
>
>  /**
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index ca871657a4c4..83af4633f306 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -756,7 +756,7 @@ __skb_flow_dissect_tcp(const struct sk_buff *skb,
>       key_tcp = skb_flow_dissector_target(flow_dissector,
>                                           FLOW_DISSECTOR_KEY_TCP,
>                                           target_container);
> -     key_tcp->flags = (*(__be16 *) &tcp_flag_word(th) & htons(0x0FFF));
> +     key_tcp->flag_word = tcp_flag_word(th);
>  }
>
>  static void
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index c94ebad78c5c..30205d57226d 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -87,8 +87,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
>
>       switch (tuple->l4proto) {
>       case IPPROTO_TCP:
> -             key->tcp.flags = 0;
> -             mask->tcp.flags = TCP_FLAG_RST | TCP_FLAG_FIN;
> +             key->tcp.flag_word = 0;
> +             mask->tcp.flag_word = TCP_FLAG_RST | TCP_FLAG_FIN;
>               match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_TCP);
>               break;
>       case IPPROTO_UDP:


Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ