| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Aug 2019 12:45:40 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
m@...bda.lt, Alexei Starovoitov <ast@...nel.org>,
Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH net 1/2] sock: make cookie generation global instead of
per netns
On Thu, Aug 8, 2019 at 11:50 AM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> Socket cookie consumers must assume the value as opqaue in any case.
> The cookie does not guarantee an always unique identifier since it
> could wrap in fabricated corner cases where two sockets could end up
> holding the same cookie,
What do you mean by this ?
Cookie is guaranteed to be unique, it is from a 64bit counter...
There should be no collision.
> but is good enough to be used as a hint for
> many use cases; not every socket must have a cookie generated hence
> knowledge of the counter value does not provide much value either way.
>
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> Cc: Eric Dumazet <edumazet@...gle.com>
> Cc: Alexei Starovoitov <ast@...nel.org>
> Cc: Willem de Bruijn <willemb@...gle.com>
> Cc: Martynas Pumputis <m@...bda.lt>
> ---
> include/net/net_namespace.h | 1 -
> include/uapi/linux/bpf.h | 4 ++--
> net/core/sock_diag.c | 3 ++-
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
> index 4a9da951a794..cb668bc2692d 100644
> --- a/include/net/net_namespace.h
> +++ b/include/net/net_namespace.h
> @@ -61,7 +61,6 @@ struct net {
> spinlock_t rules_mod_lock;
>
> u32 hash_mix;
> - atomic64_t cookie_gen;
>
> struct list_head list; /* list of network namespaces */
> struct list_head exit_list; /* To linked to call pernet exit
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index fa1c753dcdbc..a5aa7d3ac6a1 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -1466,8 +1466,8 @@ union bpf_attr {
> * If no cookie has been set yet, generate a new cookie. Once
> * generated, the socket cookie remains stable for the life of the
> * socket. This helper can be useful for monitoring per socket
> - * networking traffic statistics as it provides a unique socket
> - * identifier per namespace.
> + * networking traffic statistics as it provides a global socket
> + * identifier that can be assumed unique.
> * Return
> * A 8-byte long non-decreasing number on success, or 0 if the
> * socket field is missing inside *skb*.
> diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
> index 3312a5849a97..c13ffbd33d8d 100644
> --- a/net/core/sock_diag.c
> +++ b/net/core/sock_diag.c
> @@ -19,6 +19,7 @@ static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
> static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
> static DEFINE_MUTEX(sock_diag_table_mutex);
> static struct workqueue_struct *broadcast_wq;
> +static atomic64_t cookie_gen;
>
> u64 sock_gen_cookie(struct sock *sk)
> {
> @@ -27,7 +28,7 @@ u64 sock_gen_cookie(struct sock *sk)
>
> if (res)
> return res;
> - res = atomic64_inc_return(&sock_net(sk)->cookie_gen);
> + res = atomic64_inc_return(&cookie_gen);
> atomic64_cmpxchg(&sk->sk_cookie, 0, res);
> }
> }
> --
> 2.17.1
>
Powered by blists - more mailing lists