lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jan 2020 11:51:27 -0800 (PST) From: David Miller <davem@...emloft.net> To: sunilmut@...rosoft.com Cc: netdev@...r.kernel.org, decui@...rosoft.com, sthemmin@...rosoft.com, sashal@...nel.org, linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH net]: hv_sock: Remove the accept port restriction From: Sunil Muthuswamy <sunilmut@...rosoft.com> Date: Tue, 14 Jan 2020 00:52:14 +0000 > Currently, hv_sock restricts the port the guest socket can accept > connections on. hv_sock divides the socket port namespace into two parts > for server side (listening socket), 0-0x7FFFFFFF & 0x80000000-0xFFFFFFFF > (there are no restrictions on client port namespace). The first part > (0-0x7FFFFFFF) is reserved for sockets where connections can be accepted. > The second part (0x80000000-0xFFFFFFFF) is reserved for allocating ports > for the peer (host) socket, once a connection is accepted. > This reservation of the port namespace is specific to hv_sock and not > known by the generic vsock library (ex: af_vsock). This is problematic > because auto-binds/ephemeral ports are handled by the generic vsock > library and it has no knowledge of this port reservation and could > allocate a port that is not compatible with hv_sock (and legitimately so). > The issue hasn't surfaced so far because the auto-bind code of vsock > (__vsock_bind_stream) prior to the change 'VSOCK: bind to random port for > VMADDR_PORT_ANY' would start walking up from LAST_RESERVED_PORT (1023) and > start assigning ports. That will take a large number of iterations to hit > 0x7FFFFFFF. But, after the above change to randomize port selection, the > issue has started coming up more frequently. > There has really been no good reason to have this port reservation logic > in hv_sock from the get go. Reserving a local port for peer ports is not > how things are handled generally. Peer ports should reflect the peer port. > This fixes the issue by lifting the port reservation, and also returns the > right peer port. Since the code converts the GUID to the peer port (by > using the first 4 bytes), there is a possibility of conflicts, but that > seems like a reasonable risk to take, given this is limited to vsock and > that only applies to all local sockets. > > Signed-off-by: Sunil Muthuswamy <sunilmut@...rosoft.com> Applied.
Powered by blists - more mailing lists