lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 25 Nov 2019 11:58:52 -0800
From:   Jakub Kicinski <jakub.kicinski@...ronome.com>
To:     John Fastabend <john.fastabend@...il.com>
Cc:     daniel@...earbox.net, borisp@...lanox.com, aviadye@...lanox.com,
        netdev@...r.kernel.org,
        syzbot+df0d4ec12332661dd1f9@...kaller.appspotmail.com
Subject: Re: [RFC net] net/tls: clear SG markings on encryption error

On Fri, 22 Nov 2019 22:56:05 -0800, John Fastabend wrote:
> Jakub Kicinski wrote:
> > On Fri, 22 Nov 2019 13:45:53 -0800, Jakub Kicinski wrote:  
> > > Also there's at least one more bug in this piece of code, TLS 1.3
> > > can't assume there's at least one free SG entry.  
> > 
> > And I don't see any place where the front and back of the SG circular
> > buffer are actually chained :( This:  
> 
> The easiest way to generate a message that needs to be chained is to
> use cork but we haven't yet enabled cork. However, there is one case
> with the use of apply, pass, and drop that I think this case could
> also be generated. I'll add a test for it and a fix. This case should
> only be hit when using with BPF and programs using apply/cork.
> 
> I have the patches for cork support on a branch as well so we should
> probably just send those out.
> 
> > 
> > static inline void sk_msg_init(struct sk_msg *msg)
> > {
> > 	BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
> > 	memset(msg, 0, sizeof(*msg));
> > 	sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
> > }
> > 
> > looks questionable as well, we shouldn't mark MAX_MSG_FRAGS as the end,
> > we don't know where the end is going to be..  
> 
> We use end->MAX_MSG_FRAGS and size==0 to indicate an fresh sk_msg. This
> should only ever be called to initialize a msg never afterwards.
> 
> > 
> > diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
> > index 6cb077b646a5..6c6ce6f90e7d 100644
> > --- a/include/linux/skmsg.h
> > +++ b/include/linux/skmsg.h
> > @@ -173,9 +173,8 @@ static inline void sk_msg_clear_meta(struct sk_msg *msg)
> >  
> >  static inline void sk_msg_init(struct sk_msg *msg)
> >  {
> > -       BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != MAX_MSG_FRAGS);
> >         memset(msg, 0, sizeof(*msg));
> > -       sg_init_marker(msg->sg.data, MAX_MSG_FRAGS);
> > +       sg_chain(msg->sg.data, ARRAY_SIZE(msg->sg.data), msg->sg.data);
> >  }
> >    
> 
> I don't think we want to chain these here. We could drop the init
> marker part but its handy when reading sg values.
> 
> >  static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src,
> > 
> > Hm?  
> 
> Nice catch on the missing chaining we dropped across various revisions
> and rebases of the code. Without cork support our test cases don't hit
> it now.

I see, thanks for the explanation! I'll leave fixing the chaining to
you, then.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ