lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Oct 2023 18:39:51 +0300
From: David Kahurani <k.kahurani@...il.com>
To: Jakub Kicinski <kuba@...nel.org>, Juergen Gross <jgross@...e.com>
Cc: xen-devel@...ts.xenproject.org, netdev@...r.kernel.org, wei.liu@...nel.org, 
	paul@....org
Subject: Re: [PATCH] net/xen-netback: Break build if netback slots > max_skbs
 + 1

This change was suggested by Juergen and looked okay and straightforward to me.

On Wed, Oct 4, 2023 at 9:48 PM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Wed, 27 Sep 2023 11:29:18 +0300 David Kahurani wrote:
> > If XEN_NETBK_LEGACY_SLOTS_MAX and MAX_SKB_FRAGS have a difference of
> > more than 1, with MAX_SKB_FRAGS being the lesser value, it opens up a
> > path for null-dereference. It was also noted that some distributions
> > were modifying upstream behaviour in that direction which necessitates
> > this patch.
>
> MAX_SKB_FRAGS can now be set via Kconfig, this allows us to create
> larger super-packets. Can XEN_NETBK_LEGACY_SLOTS_MAX be made relative
> to MAX_SKB_FRAGS, or does the number have to match between guest and
> host?

Historically, netback driver allows for a maximum of 18 fragments.
With recent changes, it also relies on the assumption that the
difference between MAX_SKB_FRAGS and XEN_NETBK_LEGACY_SLOTS_MAX is one
and MAX_SKB_FRAGS is the lesser value.

Now, look at Ubuntu kernel for instance( a change has been made and,
presumably, with good reason so we have reason to assume that the
change will persist in future releases).

/* To allow 64K frame to be packed as single skb without frag_list we
 * require 64K/PAGE_SIZE pages plus 1 additional page to allow for
 * buffers which do not start on a page boundary.
 *
 * Since GRO uses frags we allocate at least 16 regardless of page
 * size.
 */
#if (65536/PAGE_SIZE + 1) < 16
#define MAX_SKB_FRAGS 16UL
#else
#define MAX_SKB_FRAGS (65536/PAGE_SIZE + 1)
#endif

So, MAX_SKB_FRAGS can sometimes be 16. This is exactly what we're
trying to avoid with this patch. I host running with this change is
vulnerable to attack by the guest(though, this will only happen when
PAGE_SIZE > 4096).

Option #2 would be to add a Kconfig dependency for the driver
> to make sure high MAX_SKB_FRAGS is incompatible with it.

netback doesn't support larger super-packets. At least as of now. The
maximum number of fragments in a packet is 18. Any packets with the
number of fragments above that value from the guest are dropped. I
would assume that support for super-packets is probably something that
should be worked on or maybe even is already being worked on. However,
this is not the issue we are trying to fix in this patch.

>
> Breaking the build will make build bots very sad.

This patch build should not break build for upstream. It will only
break for those patching upstream behaviour. My intent is not to break
build bots but to alert someone building that netback doesn't work
with the particular MAX_SKB_FRAGS value. Seeing as they have modified
upstream behaviour, then, they might as well take a look at the issue
and make a decision themselves. Seeing as this issue will hit the
distros before it goes downstream, I don't think it should be a
problem for users.

>
> We'll also need a Fixes tag, I presume this is a fix?

Yeah, I guess that would be needed too.

> --
> pw-bot: cr

Powered by blists - more mailing lists