| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100803070709.GO11110@cel.leo>
Date: Tue, 3 Aug 2010 08:07:10 +0100
From: Paul LeoNerd Evans <leonerd@...nerd.org.uk>
To: David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Cc: hagen@...u.net
Subject: Re: RFC: New BGF 'LOOP' instruction
On Mon, Aug 02, 2010 at 10:18:13PM -0700, David Miller wrote:
> If you just check for a single loop hitting, the user will just use
> a chaining of two looping constructs. And then three levels of
> indirection, then four, etc. He can run up to just before exhasting
> the "iteration limit" of one loop, and branch to the next one, and
> so on and so forth.
And this is why part of my suggestion bans the use of a LOOP
instruction within the "body" of another, such that they cannot nest.
> There are probably a million ways to exploit this, and once you come
> up with a validation or limiting scheme one of two things will happen:
>
> 1) The limiting scheme will make legitimate scripts USELESS
Rightnow, BPF is all but useless for parsing, say, IPv6. I only pick
IPv6 as one example, I'm sure there must exist a great number more
packet-based protocols that use a "linked-list" style approach to
headers. None of those are currently filterable on the current set of
instructions. LOOP would allow these.
--
Paul "LeoNerd" Evans
leonerd@...nerd.org.uk
ICQ# 4135350 | Registered Linux# 179460
http://www.leonerd.org.uk/
Download attachment "signature.asc" of type "application/pgp-signature" (191 bytes)
Powered by blists - more mailing lists