| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250703080411.21c45920@uranium> Date: Thu, 3 Jul 2025 08:04:11 -0300 From: Flavio Leitner <fbl@...close.org> To: Ilya Maximets <i.maximets@....org> Cc: netdev@...r.kernel.org, dev@...nvswitch.org, linux-kernel@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>, Simon Horman <horms@...nel.org>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, "David S. Miller" <davem@...emloft.net> Subject: Re: [ovs-dev] [PATCH net-next] net: openvswitch: allow providing upcall pid for the 'execute' command On Thu, 3 Jul 2025 10:38:49 +0200 Ilya Maximets <i.maximets@....org> wrote: > On 7/3/25 1:08 AM, Flavio Leitner wrote: > >>>> @@ -651,6 +654,10 @@ static int ovs_packet_cmd_execute(struct sk_buff > >>>> *skb, struct genl_info *info) !!(hash & OVS_PACKET_HASH_L4_BIT)); > >>>> } > >>>> > >>>> + if (a[OVS_PACKET_ATTR_UPCALL_PID]) > >>>> + upcall_pid = > >>>> nla_get_u32(a[OVS_PACKET_ATTR_UPCALL_PID]); > >>>> + OVS_CB(packet)->upcall_pid = upcall_pid; > > > > Since this is coming from userspace, does it make sense to check if the > > upcall_pid is one of the pids in the dp->upcall_portids array? > > Not really. IMO, this would be an unnecessary artificial restriction. > We're not concerned about security here since OVS_PACKET_CMD_EXECUTE > requires the same privileges as the OVS_DP_CMD_NEW or the > OVS_DP_CMD_SET. What if the userspace is buggy or compromised? It seems netlink API will return -ECONNREFUSED and the upcall is dropped. Therefore, we would be okay either way, correct?
Powered by blists - more mailing lists