lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1427028981.25985.48.camel@edumazet-glaptop2.roam.corp.google.com>
Date:	Sun, 22 Mar 2015 05:56:21 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Herbert Xu <herbert@...dor.apana.org.au>
Cc:	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
	Roland Dreier <roland@...estorage.com>
Subject: Re: arp_hash

On Sun, 2015-03-22 at 22:42 +1100, Herbert Xu wrote:
> Hi Dave:
> 
> While googling I found the 2011 discussion on changing the arp_hash
> function.  I must say that I'm not really impressed by the new
> function that replaced jhash :)
> 
> 	u32 key = *(const u32 *)pkey;
> 	u32 val = key ^ hash32_ptr(dev);
> 
> 	return val * hash_rnd[0];
> 
> Here pkey is the IP address (controllable by the attacker).  It
> gets xored with the device pointer hash, which on x86-64 looks
> like (0xffffffff ^ ptr) where ptr is a 32-bit value.  As ptr
> must be aligned to at least 8 bytes (I think 16 is probably required
> but I haven't checked), that means the bottom three bits of ptr
> are 000 and hence the bottom three bits of hash32_ptr(dev) are
> always 111.
> 
> So the attacker just has to use only addresses with the bottom
> 3 bits set to 111 and voila, the bottom three bits of val are
> always 000.  So you've just cut down your search space by a factor
> of 8.  If my assumption above of the 16-byte alignment is correct
> then you can cut it down by a factor of 16.
> 
> If the attacker can somehow get the pointer value of the device
> then all is lost since they could set any number of the low bits
> of val to zero.

On x86_64, hash32_ptr(ptr) is not (0xffffffff ^ ptr) please look again.

Anyway, trying to avoid ARP 'attacks' is a lost battle.

Adding jhash() or whatever crypto will not fundamentally avoid the issue
there. 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ