| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Mar 2019 11:46:20 +0100
From: Maciej Fijalkowski <maciejromanfijalkowski@...il.com>
To: Björn Töpel <bjorn.topel@...il.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Netdev <netdev@...r.kernel.org>,
Björn Töpel
<bjorn.topel@...el.com>,
"Karlsson, Magnus" <magnus.karlsson@...el.com>,
Magnus Karlsson <magnus.karlsson@...il.com>,
bpf <bpf@...r.kernel.org>
Subject: Re: [PATCH bpf 1/2] xsk: fix to reject invalid flags in xsk_bind
On Fri, 8 Mar 2019 11:11:05 +0100
Björn Töpel <bjorn.topel@...il.com> wrote:
> On Fri, 8 Mar 2019 at 11:00, Maciej Fijalkowski
> <maciejromanfijalkowski@...il.com> wrote:
> >
> > On Fri, 8 Mar 2019 08:57:26 +0100
> > Björn Töpel <bjorn.topel@...il.com> wrote:
> >
> > > From: Björn Töpel <bjorn.topel@...el.com>
> > >
> > > Passing a non-existing flag in the sxdp_flags member of struct
> > > sockaddr_xdp was, incorrectly, silently ignored. This patch addresses
> > > that behavior, and rejects any non-existing flags.
> > >
> > > We have examined existing user space code, and to our best knowledge,
> > > no one is relying on the current incorrect behavior. AF_XDP is still
> > > in its infancy, so from our perspective, the risk of breakage is very
> > > low, and addressing this problem now is important.
> > >
> > > Fixes: 965a99098443 ("xsk: add support for bind for Rx")
> > > Signed-off-by: Björn Töpel <bjorn.topel@...el.com>
> > > ---
> > > net/xdp/xsk.c | 5 ++++-
> > > 1 file changed, 4 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> > > index 6697084e3fdf..a14e8864e4fa 100644
> > > --- a/net/xdp/xsk.c
> > > +++ b/net/xdp/xsk.c
> > > @@ -407,6 +407,10 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
> > > if (sxdp->sxdp_family != AF_XDP)
> > > return -EINVAL;
> > >
> > > + flags = sxdp->sxdp_flags;
> > > + if (flags & ~(XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY))
> > > + return -EINVAL;
> > > +
> >
> > What about setting more than one flag at a time? Is it allowed/make any sense?
> > After a quick look it seems that they exclude each other, e.g. you can't force
> > a zero copy and copy mode at the same time. And for XDP_SHARED_UMEM two
> > remaining flags can't be set.
> >
> > So maybe check here also that only one particular flag is set by doing:
> >
> > if (hweight32(flags & (XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY)) > 1)
> > return -EINVAL;
> >
> > just like we do it for IFLA_XDP_FLAGS in net/core/rtnetlink.c?
> >
>
> We have flag semantic checks further down, and my rational was to
> *only* check unknown flags first. IMO the current patch is easier to
> understand, than your suggested one.
>
Hmm thought that bailing out earlier would be better and we could drop the
actual copy flags checks for shared umem. For xdp_umem_assign_dev() instead of
passing flags you could just pass a boolean whether you're doing zero copy or
not. And that brings up the question whether we really need a XDP_COPY flag?
> Thanks for taking a look!
>
> Cheers,
> Björn
>
> > > mutex_lock(&xs->mutex);
> > > if (xs->dev) {
> > > err = -EBUSY;
> > > @@ -425,7 +429,6 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
> > > }
> > >
> > > qid = sxdp->sxdp_queue_id;
> > > - flags = sxdp->sxdp_flags;
> > >
> > > if (flags & XDP_SHARED_UMEM) {
> > > struct xdp_sock *umem_xs;
> >
Powered by blists - more mailing lists