| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+FuTSeUnqrpyJVRycviPOC8Tv-zYuqesARY24Y4rAgHr2XXtw@mail.gmail.com>
Date: Mon, 1 Dec 2014 10:41:57 -0500
From: Willem de Bruijn <willemb@...gle.com>
To: Andy Lutomirski <luto@...capital.net>
Cc: Network Development <netdev@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
Richard Cochran <richardcochran@...il.com>
Subject: Re: [PATCH net-next 2/3] net-timestamp: allow reading recv cmsg on
errqueue with origin tstamp
>> The recv cmsg interfaces are also relevant to the discussion of
>> whether looping packet headers is problematic. For v6, cmsgs that
>> identify many headers are already returned. This patch expands
>> that to v4. If it sounds reasonable, I will follow with patches
>>
>> 1. request timestamps without payload with SOF_TIMESTAMPING_OPT_TSONLY
>> (http://patchwork.ozlabs.org/patch/366967/)
>> 2. sysctl to conditionally drop all timestamps that have payload or
>> cmsg from users without CAP_NET_RAW.
>> ---
>> +SOF_TIMESTAMPING_OPT_CMSG:
>> +
>> + Support recv() cmsg for all timestamped packets. Control messages
>> + are already supported unconditionally on all packets with receive
>> + timestamps and on IPv6 packets with transmit timestamp. This option
>> + extends them to IPv4 packets with transmit timestamp. One use case
>> + is to correlate packets with their egress device, by enabling socket
>> + option IP_PKTINFO simultaneously.
>> +
>
> I haven't tested yet, but where in the code is the check for
> IP_PKTINFO being requested? I may have missed it.
See comment below
>> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
>> index 59eba6c..640f26c 100644
>> --- a/net/ipv4/ip_sockglue.c
>> +++ b/net/ipv4/ip_sockglue.c
>> @@ -399,6 +399,22 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf
>> kfree_skb(skb);
>> }
>>
>> +static bool ipv4_pktinfo_prepare_errqueue(const struct sock *sk,
>> + const struct sk_buff *skb,
>> + int ee_origin)
>> +{
>> + struct in_pktinfo *info = PKTINFO_SKB_CB(skb);
>> +
>> + if ((ee_origin != SO_EE_ORIGIN_TIMESTAMPING) ||
>> + (!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
>> + (!skb->dev))
>> + return false;
This function is called to decide whether to call ip_cmsg_recv when
the origin is not SO_EE_ORIGIN_ICMP. For other origins, the pktinfo
field is not initialized, so we initialize it here.
The socket owner must still set socket option IP_PKTINFO to exercise
the relevant code in ip_cmsg_recv:
unsigned int flags = inet->cmsg_flags;
if (flags & 1)
ip_cmsg_recv_pktinfo(msg, skb);
and
net/ipv4/ip_sockglue.c:48:#define IP_CMSG_PKTINFO 1
>> +
>> + info->ipi_spec_dst.s_addr = ip_hdr(skb)->saddr;
>
> Is this the source addr chosen by the initial routing decision when
> the packet was sent, or is it the final source addr on the way out?
> If the latter, is this an information leak when network namespaces are
> in use?
Not as long as the entire payload is looped back with the metadata,
as it is currently. Note my suggested fix at the top: to give processes
an option to request timestamps without either, and to give the
administrator the option to drop all others.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists