| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Feb 2024 11:57:15 +0000
From: "Romanowski, Rafal" <rafal.romanowski@...el.com>
To: Simon Horman <horms@...nel.org>, ivecera <ivecera@...hat.com>
CC: Mateusz Palczewski <mateusz.palczewski@...el.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Williams, Mitch A"
<mitch.a.williams@...el.com>, "Brandeburg, Jesse"
<jesse.brandeburg@...el.com>, open list <linux-kernel@...r.kernel.org>, "Eric
Dumazet" <edumazet@...gle.com>, "Nguyen, Anthony L"
<anthony.l.nguyen@...el.com>, Jeff Kirsher <jeffrey.t.kirsher@...el.com>,
Sylwester Dziedziuch <sylwesterx.dziedziuch@...el.com>, Jakub Kicinski
<kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, "David S. Miller"
<davem@...emloft.net>, "moderated list:INTEL ETHERNET DRIVERS"
<intel-wired-lan@...ts.osuosl.org>
Subject: RE: [Intel-wired-lan] [PATCH net] i40e: Do not allow untrusted VF to
remove administratively set MAC
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf Of
> Simon Horman
> Sent: Friday, February 2, 2024 1:43 PM
> To: ivecera <ivecera@...hat.com>
> Cc: Mateusz Palczewski <mateusz.palczewski@...el.com>;
> netdev@...r.kernel.org; Williams, Mitch A <mitch.a.williams@...el.com>;
> Brandeburg, Jesse <jesse.brandeburg@...el.com>; open list <linux-
> kernel@...r.kernel.org>; Eric Dumazet <edumazet@...gle.com>; Nguyen,
> Anthony L <anthony.l.nguyen@...el.com>; Jeff Kirsher
> <jeffrey.t.kirsher@...el.com>; Sylwester Dziedziuch
> <sylwesterx.dziedziuch@...el.com>; Jakub Kicinski <kuba@...nel.org>; Paolo
> Abeni <pabeni@...hat.com>; David S. Miller <davem@...emloft.net>;
> moderated list:INTEL ETHERNET DRIVERS <intel-wired-lan@...ts.osuosl.org>
> Subject: Re: [Intel-wired-lan] [PATCH net] i40e: Do not allow untrusted VF to
> remove administratively set MAC
>
> On Wed, Jan 31, 2024 at 02:17:14PM +0100, Ivan Vecera wrote:
> > Currently when PF administratively sets VF's MAC address and the VF is
> > put down (VF tries to delete all MACs) then the MAC is removed from
> > MAC filters and primary VF MAC is zeroed.
> >
> > Do not allow untrusted VF to remove primary MAC when it was set
> > administratively by PF.
> >
> > Reproducer:
> > 1) Create VF
> > 2) Set VF interface up
> > 3) Administratively set the VF's MAC
> > 4) Put VF interface down
> >
> > [root@...t ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
> > [root@...t ~]# ip link set enp2s0f0v0 up [root@...t ~]# ip link set
> > enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@...t ~]# ip link show
> > enp2s0f0
> > 23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP mode DEFAULT group default qlen 1000
> > link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff
> > vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on,
> link-state auto, trust off
> > [root@...t ~]# ip link set enp2s0f0v0 down [root@...t ~]# ip link show
> > enp2s0f0
> > 23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP mode DEFAULT group default qlen 1000
> > link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff
> > vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on,
> link-state auto, trust off
> >
> > Fixes: 700bbf6c1f9e ("i40e: allow VF to remove any MAC filter")
> > Fixes: ceb29474bbbc ("i40e: Add support for VF to specify its primary
> > MAC address")
> > Signed-off-by: Ivan Vecera <ivecera@...hat.com>
>
> Thanks Ivan,
>
> Reviewed-by: Simon Horman <horms@...nel.org>
Tested-by: Rafal Romanowski <rafal.romanowski@...el.com>
Powered by blists - more mailing lists