lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 26 Nov 2018 12:03:39 +0800
From:   Jason Wang <jasowang@...hat.com>
To:     David Miller <davem@...emloft.net>
Cc:     mst@...hat.com, virtualization@...ts.linux-foundation.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        brouer@...hat.com, pashinho1990@...il.com, dsahern@...il.com
Subject: Re: [PATCH net 1/2] virtio-net: disable guest csum during XDP set


On 2018/11/24 上午4:01, David Miller wrote:
> From: Jason Wang <jasowang@...hat.com>
> Date: Thu, 22 Nov 2018 14:36:30 +0800
>
>> We don't disable VIRTIO_NET_F_GUEST_CSUM if XDP was set. This means we
>> can receive partial csumed packets with metadata kept in the
>> vnet_hdr. This may have several side effects:
>>
>> - It could be overridden by header adjustment, thus is might be not
>>    correct after XDP processing.
>> - There's no way to pass such metadata information through
>>    XDP_REDIRECT to another driver.
>> - XDP does not support checksum offload right now.
>>
>> So simply disable guest csum if possible in this the case of XDP.
>>
>> Fixes: 3f93522ffab2d ("virtio-net: switch off offloads on demand if possible on XDP set")
>> Reported-by: Jesper Dangaard Brouer <brouer@...hat.com>
>> Cc: Jesper Dangaard Brouer <brouer@...hat.com>
>> Cc: Pavel Popa <pashinho1990@...il.com>
>> Cc: David Ahern <dsahern@...il.com>
>> Signed-off-by: Jason Wang <jasowang@...hat.com>
> Applied and queued up for -stable.
>
> We really should have a way to use the checksum provided if the XDP
> program returns XDP_PASS and does not modify the packet contents
> or size.


Yes, I think this may require the assistance of BPF verifier to set a 
flag or other. Then we can assume the metadata is safe to use.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ