lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Oct 2023 13:26:23 -0400
From: Jamal Hadi Salim <jhs@...atatu.com>
To: Christian Theune <ct@...ingcircus.io>
Cc: Jakub Kicinski <kuba@...nel.org>, Pedro Tammela <pctammela@...atatu.com>, markovicbudimir@...il.com, 
	stable@...r.kernel.org, netdev@...r.kernel.org, 
	Linux regressions mailing list <regressions@...ts.linux.dev>, davem@...emloft.net, edumazet@...gle.com, 
	pabeni@...hat.com
Subject: Re: [REGRESSION] Userland interface breaks due to hard HFSC_FSC requirement

On Tue, Oct 10, 2023 at 1:32 PM Christian Theune <ct@...ingcircus.io> wrote:
>
> Hi,
>
> > On 10. Oct 2023, at 17:02, Jamal Hadi Salim <jhs@...atatu.com> wrote:
> >
> > This is a tough one - as it stands right now we dont see a good way
> > out. It's either "exploitable by root / userns" or break uapi.
> > Christian - can you send your "working" scripts, simplified if
> > possible, and we'll take a look.
>
> Sure, what kind of simplification are we talking about? Something like this?
>
> #### snip
> #!/bin/bash
> modprobe ifb
> modprobe act_mirred
>
> uplink=eth0
> uplink_ingress=ifb0
>
> tc qdisc add dev $uplink handle ffff: ingress
> ifconfig $uplink up
>
> tc filter add dev $uplink parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $uplink_ingress
>
> tc qdisc add dev $uplink_ingress root handle 1: hfsc default 1
> tc class add dev $uplink_ingress parent 1: classid 1:999 hfsc rt m2 2.5gbit
> tc class add dev $uplink_ingress parent 1:999 classid 1:1 hfsc sc rate 50mbit
> #### snap
>
> This should provoke the error reliably. You might need to point it at whatever network interface is available but need to be prepared to loose connectivity.
>

Ok - thanks, we'll look at this from the perspective of both ensuring
UAF is gone and making your config happy. TBH, in my view UAF comes
first but we can debate that later.

cheers,
jamal
> Christian
>
>
> Liebe Grüße,
> Christian Theune
>
> --
> Christian Theune · ct@...ingcircus.io · +49 345 219401 0
> Flying Circus Internet Operations GmbH · https://flyingcircus.io
> Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland
> HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ