lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 4 Apr 2021 15:04:35 +0000
From:   Danielle Ratson <danieller@...dia.com>
To:     Andrew Lunn <andrew@...n.ch>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "eric.dumazet@...il.com" <eric.dumazet@...il.com>,
        "mkubecek@...e.cz" <mkubecek@...e.cz>,
        "f.fainelli@...il.com" <f.fainelli@...il.com>,
        "acardace@...hat.com" <acardace@...hat.com>,
        "irusskikh@...vell.com" <irusskikh@...vell.com>,
        "gustavo@...eddedor.com" <gustavo@...eddedor.com>,
        "magnus.karlsson@...el.com" <magnus.karlsson@...el.com>,
        "ecree@...arflare.com" <ecree@...arflare.com>,
        Ido Schimmel <idosch@...dia.com>, Jiri Pirko <jiri@...dia.com>,
        mlxsw <mlxsw@...dia.com>
Subject: RE: [PATCH net v2 1/2] ethtool: Add link_mode parameter capability
 bit to ethtool_ops



> -----Original Message-----
> From: Andrew Lunn <andrew@...n.ch>
> Sent: Sunday, April 4, 2021 5:18 PM
> To: Danielle Ratson <danieller@...dia.com>
> Cc: netdev@...r.kernel.org; davem@...emloft.net; kuba@...nel.org; eric.dumazet@...il.com; mkubecek@...e.cz;
> f.fainelli@...il.com; acardace@...hat.com; irusskikh@...vell.com; gustavo@...eddedor.com; magnus.karlsson@...el.com;
> ecree@...arflare.com; Ido Schimmel <idosch@...dia.com>; Jiri Pirko <jiri@...dia.com>; mlxsw <mlxsw@...dia.com>
> Subject: Re: [PATCH net v2 1/2] ethtool: Add link_mode parameter capability bit to ethtool_ops
> 
> On Sun, Apr 04, 2021 at 11:14:32AM +0300, Danielle Ratson wrote:
> > Some drivers clear the 'ethtool_link_ksettings' struct in their
> > get_link_ksettings() callback, before populating it with actual values.
> > Such drivers will set the new 'link_mode' field to zero, resulting in
> > user space receiving wrong link mode information given that zero is a
> > valid value for the field.
> 
> That sounds like the bug, that 0 means something, not that the structure is zeroed. It is good practice to zero structures about to be
> returned to user space otherwise you could leak stack information etc.
> 
> Do we still have time to fix the KAPI, so zero means unset? Where in the workflow is the patch adding this feature? Is it in a released
> kernel? or -rc kernel?

First, it is not the API structure that is passed to user space. Please pay attention that the link_mode field is added to "ethtool_link_ksettings" and not "ethtool_link_settings", which is the API.
So I am not sure what leak could happen in that situation, could you explain?

Second, the link_mode indices are uAPI, so 0 is not forbidden.

> 
> > Fix this by introducing a new capability bit
> > ('cap_link_mode_supported') to ethtool_ops, which indicates whether the driver supports 'link_mode'
> > parameter or not. Set it to true in mlxsw which is currently the only
> > driver supporting 'link_mode'.
> >
> > Another problem is that some drivers (notably tun) can report random
> > values in the 'link_mode' field. This can result in a general
> > protection fault when the field is used as an index to the
> > 'link_mode_params' array [1].
> >
> > This happens because such drivers implement their set_link_ksettings()
> > callback by simply overwriting their private copy of
> > 'ethtool_link_ksettings' struct with the one they get from the stack,
> > which is not always properly initialized.
> >
> > Fix this by making sure that the implied parameters will be derived
> > from the 'link_mode' parameter only when the 'cap_link_mode_supported' is set.
> 
> So you left in place the kernel memory leak to user space? Or is there an additional patch to fix tun as well?
> 
>    Andrew

Again, not sure what is the memory leak you are talking about. 
This patch solves the protection fault in tun driver, by the fact that now we are paying attention to the link_mode value only if the driver confirmed it supports the link_mode and set it properly.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ