lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 30 Nov 2022 21:54:21 +0900
From:   asmadeus@...ewreck.org
To:     Christian Schoenebeck <linux_oss@...debyte.com>
Cc:     Schspa Shi <schspa@...il.com>, ericvh@...il.com, lucho@...kov.net,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, v9fs-developer@...ts.sourceforge.net,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzbot+8f1060e2aaf8ca55220b@...kaller.appspotmail.com
Subject: Re: [PATCH] 9p: fix crash when transaction killed

Christian Schoenebeck wrote on Wed, Nov 30, 2022 at 01:43:20PM +0100:
> > > As for the release case, the next request will have the same tag with
> > > high probability. It's better to make the tag value to be an increase
> > > sequence, thus will avoid very much possible req reuse.
> > 
> > I'd love to be able to do this, but it would break some servers that
> > assume tags are small (e.g. using it as an index for a tag array)
> > ... I thought nfs-ganesha was doing this but they properly put in in
> > buckets, so that's one less server to worry about, but I wouldn't put
> > it past some simple servers to do that; having a way to lookup a given
> > tag for flush is an implementation requirement.
> 
> I really think it's time to emit tag number sequentially. If it turns out that
> it's a server that is broken, we could then simply ignore replies with old/
> unknown tag number. It would also help a lot when debugging 9p issues in
> general when you know tag numbers are not re-used (in near future).
> 
> A 9p server must not make any assumptions how tag numbers are generated by
> client, whether dense or sparse, or whatever. If it does then server is
> broken, which is much easier to fix than synchronization issues we have to
> deal with like this one.

Well, it's a one line change: just replace the idr_alloc in the else
branch of p9_tag_alloc with idr_alloc_cyclic.
But linux has an history of not breaking userspace, even if it's broken.
One could argue that the server side of a networked protocol isn't
as tightly coupled but I still think we should be careful with it --
adding a new mount option to rever to the old behaviour at the very
least.

I'm also not convinced it'd fix anything here, we're not talking about a
real server but about a potential attacker -- if a reply comes in with
the next tag while we're allocating it, we'll get the exact same problem
as we have right now.
Frankly, 9p has no security at all so I'm not sure this is something we
really need to worry about, but bugs are bugs so we might as well fix
them if someone has the time for that...

Anyway, I can appreciate that logs will definitely be easier to read, so
an option to voluntarily switch to cyclic allocation would be more than
welcome as a first step and shouldn't be too hard to do...

-- 
Dominique

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ