lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7fb38122abcbcf28f7af8b9891d0b0852c01f088.camel@sipsolutions.net>
Date: Wed, 20 Nov 2024 09:44:03 +0100
From: Johannes Berg <johannes@...solutions.net>
To: Jakub Kicinski <kuba@...nel.org>, Dmitry Safonov via B4 Relay
	 <devnull+0x7f454c46.gmail.com@...nel.org>
Cc: 0x7f454c46@...il.com, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Simon
 Horman <horms@...nel.org>, David Ahern <dsahern@...nel.org>, Ivan Delalande
 <colona@...sta.com>, Matthieu Baerts <matttbe@...nel.org>, Mat Martineau
 <martineau@...nel.org>, Geliang Tang <geliang@...nel.org>, John Fastabend
 <john.fastabend@...il.com>, Davide Caratti <dcaratti@...hat.com>, Kuniyuki
 Iwashima <kuniyu@...zon.com>, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org,  mptcp@...ts.linux.dev
Subject: Re: [PATCH net v2 0/5] Make TCP-MD5-diag slightly less broken

(Sorry, late to the party)

On Fri, 2024-11-15 at 16:08 -0800, Jakub Kicinski wrote:
> On Wed, 13 Nov 2024 18:46:39 +0000 Dmitry Safonov via B4 Relay wrote:
> > 2. Inet-diag allocates netlink message for sockets in
> >    inet_diag_dump_one_icsk(), which uses a TCP-diag callback
> >    .idiag_get_aux_size(), that pre-calculates the needed space for
> >    TCP-diag related information. But as neither socket lock nor
> >    rcu_readlock() are held between allocation and the actual TCP
> >    info filling, the TCP-related space requirement may change before
> >    reaching tcp_diag_put_md5sig(). I.e., the number of TCP-MD5 keys on
> >    a socket. Thankfully, TCP-MD5-diag won't overwrite the skb, but will
> >    return EMSGSIZE, triggering WARN_ON() in inet_diag_dump_one_icsk().
> 
> Would it be too ugly if we simply retried with a 32kB skb if the initial
> dump failed with EMSGSIZE?

We have min_dump_alloc, which a number of places are setting much higher
than the default, partially at least because there were similar issues,
e.g. in nl80211. See e.g. nl80211_dump_wiphy() doing it dynamically.

Kind of ugly? Sure! And we shouldn't use it now with newer userspace
that knows to request a more finely split dump. For older userspace it's
the only way though.

Also, we don't even give all the data to older userspace (it must
support split dumps to get information about the more modern features, 6
GHz channels, etc.), but I gather that's not an option here.

> Another option would be to automatically grow the skb. The size
> accounting is an endless source of bugs. We'd just need to scan
> the codebase to make sure there are no cases where someone does
> 
> 	ptr = __nla_reserve();
> 	nla_put();
> 	*ptr = 0;
> 
> Which may be too much of a project and source of bugs in itself.
> 
> Or do both, retry as a fix, and auto-grow in net-next.

For auto-grow you'd also have to have information about the userspace
buffer, I think? It still has to fit there, might as well fail anyway if
that buffer is too small? I'm not sure we have that link back? But I'm
not really sure right now, just remember this as an additional wrinkle
from the above-mentioned nl80211 problem.

johannes

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ