| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4843eb55-eff2-4bc8-bed2-ba12dd46b573@daynix.com> Date: Fri, 10 Jan 2025 19:25:29 +0900 From: Akihiko Odaki <akihiko.odaki@...nix.com> To: Jason Wang <jasowang@...hat.com> Cc: Jonathan Corbet <corbet@....net>, Willem de Bruijn <willemdebruijn.kernel@...il.com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, "Michael S. Tsirkin" <mst@...hat.com>, Xuan Zhuo <xuanzhuo@...ux.alibaba.com>, Shuah Khan <shuah@...nel.org>, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org, Yuri Benditovich <yuri.benditovich@...nix.com>, Andrew Melnychenko <andrew@...nix.com>, Stephen Hemminger <stephen@...workplumber.org>, gur.stavi@...wei.com, devel@...nix.com Subject: Re: [PATCH v2 2/3] tun: Pad virtio header with zero On 2025/01/10 12:27, Jason Wang wrote: > On Thu, Jan 9, 2025 at 2:59 PM Akihiko Odaki <akihiko.odaki@...nix.com> wrote: >> >> tun used to simply advance iov_iter when it needs to pad virtio header, >> which leaves the garbage in the buffer as is. This is especially >> problematic when tun starts to allow enabling the hash reporting >> feature; even if the feature is enabled, the packet may lack a hash >> value and may contain a hole in the virtio header because the packet >> arrived before the feature gets enabled or does not contain the >> header fields to be hashed. If the hole is not filled with zero, it is >> impossible to tell if the packet lacks a hash value. > > I'm not sure I will get here, could we do this in the series of hash reporting? I'll create another series dedicated for this and num_buffers change as suggested by Willem. > >> >> In theory, a user of tun can fill the buffer with zero before calling >> read() to avoid such a problem, but leaving the garbage in the buffer is >> awkward anyway so fill the buffer in tun. >> >> Signed-off-by: Akihiko Odaki <akihiko.odaki@...nix.com> >> --- >> drivers/net/tun_vnet.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/net/tun_vnet.c b/drivers/net/tun_vnet.c >> index fe842df9e9ef..ffb2186facd3 100644 >> --- a/drivers/net/tun_vnet.c >> +++ b/drivers/net/tun_vnet.c >> @@ -138,7 +138,8 @@ int tun_vnet_hdr_put(int sz, struct iov_iter *iter, >> if (copy_to_iter(hdr, sizeof(*hdr), iter) != sizeof(*hdr)) >> return -EFAULT; >> >> - iov_iter_advance(iter, sz - sizeof(*hdr)); >> + if (iov_iter_zero(sz - sizeof(*hdr), iter) != sz - sizeof(*hdr)) >> + return -EFAULT; >> >> return 0; > > There're various callers of iov_iter_advance(), do we need to fix them all? No. For example, there are iov_iter_advance() calls for SOCK_ZEROCOPY in tun_get_user() and tap_get_user(). They are fine as they are not writing buffers after skipping. The problem is that read_iter() and recvmsg() says it wrote N bytes but it leaves some of this N bytes uninialized. Such an implementation may be created even without iov_iter_advance() (for example just returning a too big number), and it is equally problematic with the current tun_get_user()/tap_get_user(). Regards, Akihiko Odaki > > Thanks > >> } > >> >> -- >> 2.47.1 >> >
Powered by blists - more mailing lists