lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 17 Nov 2018 17:19:34 -0800
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     David Miller <davem@...emloft.net>, eric.dumazet@...il.com
Cc:     lirongqing@...du.com, netdev@...r.kernel.org
Subject: Re: [PATCH][net-next] net: slightly optimize eth_type_trans



On 11/17/2018 04:51 PM, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@...il.com>
> Date: Sat, 17 Nov 2018 14:37:12 -0800
> 
>>
>>
>> On 11/15/2018 03:11 PM, David Miller wrote:
>>
>>>
>>> Applied.
>>>
>>
>> While reviewing this stuff, I found we have a bug.
>>
>> If napi_reuse_skb() is called, we might inherit from prior skb->pkt_type value.
>>
>> It seems that GRO could aggregate packets with pkt_type != PACKET_HOST, right ?
>>
>> David, any objection if I submit the following fix ?
> 
> Oh weird, so we do GRO frags accumulation using SKB which never goes through
> eth_type_trans()?
> 
> I don't understand how we can, in this circumstance, assume PACKET_HOST?
> 
> Because that is what your suggested patch does.
> 
> Frame could be UDP multicast, and we could legitimately GRO accumulate it.
> In that situations setting PACKET_HOST doesn't seem correct.
> 

I might have been not very clear.

Issue is that with macvlan and GRO-friend traffic we can receive the following packets :

P1-P2 with PACKET_OTHERHOST because eth_type_trans() detected the dst MAC is not the eth0 device mac address.

P2 has been aggregated to P1, so the sk_buff has been put to napi->skb via napi_reuse_skb()

Then we receive on same NAPI packet P3, for this host, reusing napi->skb that was saved (old P2 sk_buff).
skb->pkt_type is PACKET_OTHERHOST.

eth_type_trans() does not change skb->pkt_type because ethernet dst mac address is our ethernet mac address.

-> We feed the upper stack with P3, with incorrect pkt_type.

 -> packet is dropped because pkt_type != PACKET_HOST, for example in tcp_v4_rcv()

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ