| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Nov 2019 22:56:05 -0800
From: John Fastabend <john.fastabend@...il.com>
To: Jakub Kicinski <jakub.kicinski@...ronome.com>,
john.fastabend@...il.com, daniel@...earbox.net
Cc: borisp@...lanox.com, aviadye@...lanox.com, netdev@...r.kernel.org,
syzbot+df0d4ec12332661dd1f9@...kaller.appspotmail.com
Subject: Re: [RFC net] net/tls: clear SG markings on encryption error
Jakub Kicinski wrote:
> On Fri, 22 Nov 2019 13:45:53 -0800, Jakub Kicinski wrote:
> > Also there's at least one more bug in this piece of code, TLS 1.3
> > can't assume there's at least one free SG entry.
>
> And I don't see any place where the front and back of the SG circular
> buffer are actually chained :( This:
The easiest way to generate a message that needs to be chained is to
use cork but we haven't yet enabled cork. However, there is one case
with the use of apply, pass, and drop that I think this case could
also be generated. I'll add a test for it and a fix. This case should
only be hit when using with BPF and programs using apply/cork.
I have the patches for cork support on a branch as well so we should
probably just send those out.
>
> static inline void sk_msg_init(struct sk_msg *msg)
> {
> BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
> memset(msg, 0, sizeof(*msg));
> sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
> }
>
> looks questionable as well, we shouldn't mark MAX_MSG_FRAGS as the end,
> we don't know where the end is going to be..
We use end->MAX_MSG_FRAGS and size==0 to indicate an fresh sk_msg. This
should only ever be called to initialize a msg never afterwards.
>
> diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
> index 6cb077b646a5..6c6ce6f90e7d 100644
> --- a/include/linux/skmsg.h
> +++ b/include/linux/skmsg.h
> @@ -173,9 +173,8 @@ static inline void sk_msg_clear_meta(struct sk_msg *msg)
>
> static inline void sk_msg_init(struct sk_msg *msg)
> {
> - BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
> memset(msg, 0, sizeof(*msg));
> - sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
> + sg_chain(msg->sg.data, ARRAY_SIZE(msg->sg.data), msg->sg.data);
> }
>
I don't think we want to chain these here. We could drop the init
marker part but its handy when reading sg values.
> static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src,
>
> Hm?
Nice catch on the missing chaining we dropped across various revisions
and rebases of the code. Without cork support our test cases don't hit
it now.
Powered by blists - more mailing lists