lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250110183307.4bfba412@kernel.org>
Date: Fri, 10 Jan 2025 18:33:07 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Jamal Hadi Salim <jhs@...atatu.com>
Cc: netdev@...r.kernel.org, jiri@...nulli.us, xiyou.wangcong@...il.com,
 davem@...emloft.net, edumazet@...gle.com, security@...nel.org,
 nnamrec@...il.com
Subject: Re: [PATCH net 1/1 v2] net: sched: Disallow replacing of child
 qdisc from one parent to another

On Fri, 10 Jan 2025 09:48:02 -0500 Jamal Hadi Salim wrote:
> There are two possible intentions/meanings from reading that dump:
> a) the pfifo queue with handle 204: is intended to be shared by both
> parent 100:1 and 100:4 --> refcount of 2 takes care of that. But then
> you can question should the parent have stayed the same or should we
> use the new one? We could keep track of both parents but that is
> another surgery which seemed unnecessary.
> b) We intended "replace" to move the pfifo queue id 204: from 100:4 to
> 100:1. In which case we would need to do some other surgery which
> includes getting things pointed to the new parent only.
> 
> While #a may be practical it could be achieved by building the proper
> qdisc/class hierarchies. I am not sure of practical use #b. In both
> cases it seemed to me prevention is better than the cure.
> Question for you for that test: Which of these two were you intending?
>  It could be you just wanted to ensure some grafting happened, in
> which case we can adjust the test case.

Yes, adjusting the test sounds good. I was testing visibility after
supported operations. If the operation is no longer supported there's
nothing to test :)

> Like 99.99% of bugs being reported on tc, someone found a clever way
> to use netlink to put kernel state in an awkward position.  And like
> most fixes it just requires more checks against incoming control into
> the kernel.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ