lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5dd8d805af315_3cdc2b06f70e05b490@john-XPS-13-9370.notmuch>
Date:   Fri, 22 Nov 2019 22:56:05 -0800
From:   John Fastabend <john.fastabend@...il.com>
To:     Jakub Kicinski <jakub.kicinski@...ronome.com>,
        john.fastabend@...il.com, daniel@...earbox.net
Cc:     borisp@...lanox.com, aviadye@...lanox.com, netdev@...r.kernel.org,
        syzbot+df0d4ec12332661dd1f9@...kaller.appspotmail.com
Subject: Re: [RFC net] net/tls: clear SG markings on encryption error

Jakub Kicinski wrote:
> On Fri, 22 Nov 2019 13:45:53 -0800, Jakub Kicinski wrote:
> > Also there's at least one more bug in this piece of code, TLS 1.3
> > can't assume there's at least one free SG entry.
> 
> And I don't see any place where the front and back of the SG circular
> buffer are actually chained :( This:

The easiest way to generate a message that needs to be chained is to
use cork but we haven't yet enabled cork. However, there is one case
with the use of apply, pass, and drop that I think this case could
also be generated. I'll add a test for it and a fix. This case should
only be hit when using with BPF and programs using apply/cork.

I have the patches for cork support on a branch as well so we should
probably just send those out.

> 
> static inline void sk_msg_init(struct sk_msg *msg)
> {
> 	BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
> 	memset(msg, 0, sizeof(*msg));
> 	sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
> }
> 
> looks questionable as well, we shouldn't mark MAX_MSG_FRAGS as the end,
> we don't know where the end is going to be..

We use end->MAX_MSG_FRAGS and size==0 to indicate an fresh sk_msg. This
should only ever be called to initialize a msg never afterwards.

> 
> diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
> index 6cb077b646a5..6c6ce6f90e7d 100644
> --- a/include/linux/skmsg.h
> +++ b/include/linux/skmsg.h
> @@ -173,9 +173,8 @@ static inline void sk_msg_clear_meta(struct sk_msg *msg)
>  
>  static inline void sk_msg_init(struct sk_msg *msg)
>  {
> -       BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
>         memset(msg, 0, sizeof(*msg));
> -       sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
> +       sg_chain(msg->sg.data, ARRAY_SIZE(msg->sg.data), msg->sg.data);
>  }
>  

I don't think we want to chain these here. We could drop the init
marker part but its handy when reading sg values.

>  static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src,
> 
> Hm?

Nice catch on the missing chaining we dropped across various revisions
and rebases of the code. Without cork support our test cases don't hit
it now.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ