lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 24 Apr 2019 20:48:16 +0000
From:   "Elmahrad, Abdelghani" <Abdel.Elmahrad@...driver.com>
To:     "Bai, Haiqing" <Haiqing.Bai@...driver.com>,
        David Miller <davem@...emloft.net>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: RE: [PATCH] net: socket: Exit earlier from __sock_create if
 CONFIG_IPV6 is disabled

Thanks David for the quick feedback.
As Haiqing mentioned, we all agree this is not an ideal solution but that code/comment is still present in latest kernel and nothing else has been proposed/discussed upstream despites the fact the author of that code himself 
questions his approach in the disputed code snippet.

#ifdef CONFIG_MODULES 
/* Attempt to load a protocol module if the find failed. 
* 
* 12/09/1996 Marcin: But! this makes REALLY only sense, if the user 
* requested real, full-featured networking support upon configuration. 
* Otherwise module support will break! 
*/ 
if (rcu_access_pointer(net_families[family]) == NULL) 
request_module("net-pf-%d", family); 
#endif


The issue with this code is that socket(AF_INET6, SOCK_STREAM, 0) takes 10ms to fail because socket.c still wants to attempt to load it while IPv6 is disabled. The root cause is that socket() and in particular __sock_create() in net/socket.c attempts to load IPV6 module even though IPV6 is not configured. 

For the sake of completeness, this is observed in a specific context with PPC based project with IPv6 kernel config disabled... while the layer that provides OS abstraction does support IPv6 for x86 ONLY... first attempts to create IPV6 socket and fails after 10ms.

Although that can be seen as a corner case, that's not the point here. Many of our customers are reporting this as a bug ...as per the author comment anticipated.

The eventual goal is to find a better way to deal with this...upstream.

-----Original Message-----
From: Bai, Haiqing <Haiqing.Bai@...driver.com> 
Sent: April 23, 2019 11:02 PM
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org; Elmahrad, Abdelghani <Abdel.Elmahrad@...driver.com>
Subject: RE: [PATCH] net: socket: Exit earlier from __sock_create if CONFIG_IPV6 is disabled

Actually I know this clearly,  just bring your attention on this issue , I think this is a mechanism issue.
Though we have no good idea to fix this, but I believe firmly that you kernel experts must have some smart and beautiful solution.
Thanks.


-----Original Message-----
From: David Miller [mailto:davem@...emloft.net]
Sent: 2019年4月24日 9:43
To: Bai, Haiqing
Cc: netdev@...r.kernel.org; Elmahrad, Abdelghani
Subject: Re: [PATCH] net: socket: Exit earlier from __sock_create if CONFIG_IPV6 is disabled

From: Haiqing Bai <Haiqing.Bai@...driver.com>
Date: Tue, 23 Apr 2019 17:00:23 +0800

> diff --git a/net/socket.c b/net/socket.c index 
> 8255f5bda0aa..7927c2bcad65 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1339,6 +1339,11 @@ int __sock_create(struct net *net, int family, int type, int protocol,
>  	if (type < 0 || type >= SOCK_MAX)
>  		return -EINVAL;
>  
> +#if !(IS_ENABLED(CONFIG_IPV6))
> +	if (family == AF_INET6)
> +		return -EAFNOSUPPORT;
> +#endif

There is no way I am allowing this kind of layering violation.  It's just rediculous.

Powered by blists - more mailing lists