From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top, jmaloy@redhat.com
Subject: Re: [PATCH v7 21/27] udp: Handle "spliced" datagrams with per-flow sockets
Date: Thu, 11 Jul 2024 12:48:48 +1000 [thread overview]
Message-ID: <Zo9IEGEw68D2SFL2@zatzit> (raw)
In-Reply-To: <20240710191316.53b7ac5d@elisabeth>
[-- Attachment #1: Type: text/plain, Size: 4025 bytes --]
On Wed, Jul 10, 2024 at 07:13:26PM +0200, Stefano Brivio wrote:
> On Wed, 10 Jul 2024 10:23:14 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>
> > On Wed, Jul 10, 2024 at 12:32:33AM +0200, Stefano Brivio wrote:
> > > On Fri, 5 Jul 2024 12:07:18 +1000
> > > David Gibson <david@gibson.dropbear.id.au> wrote:
[snip]
> > > > + * need to.
> > > > + */
> > > > + /* cppcheck-suppress nullPointer */
> > > > + while (recv(uflow->s[TGTSIDE], NULL, 0, MSG_DONTWAIT) >= 0)
> > > > + ;
> > >
> > > Could a local attacker (another user) attempt to use this for denial of
> > > service?
> >
> > Ah, interesting question.
> >
> > > Of course, somebody could flood us anyway and we would get and handle
> > > all the events that that causes. But this case is different because we
> > > could get stuck for an unlimited amount of time without serving other
> > > sockets at all.
> >
> > Right.
> >
> > > If that's a possibility, perhaps a limit for this loop (a maximum
> > > amount of recv()) tries would be a good idea. I'm not sure how we should
> > > handle the case where we exceed the threshold.
> >
> > We could fail to create the flow. That would limit the damage, but
> > see below.
> >
> > > Another one, which adds some complexity, but looks more correct to me,
> > > would be to try a single recv() call, and if we get data from it, fail
> > > creating the new flow entirely.
> >
> > Right. I also considered a single recvmmsg(); the difficulty with
> > that is making suitable arrays for it, since the normal ones may be in
> > use at this point.
>
> For UDP, we don't need to make the buffers large enough to fit packets
> into them, see udp(7):
>
> All receive operations return only one packet. When the packet is
> smaller than the passed buffer, only that much data is returned; when it
> is bigger, the packet is truncated and the MSG_TRUNC flag is set.
>
> so probably 1024 bytes (1 * UIO_MAXIOV) on the stack would be enough...
> or maybe we can even pass 0 as size and NULL buffers?
We can (see doc/platform-requirements/recv-zero.c). And even if we
couldn't, we could use the same 1 byte buffer for all the datagrams.
We basically just need the actual msghdr array.
> If recvmmsg() returns UIO_MAXIOV, then something weird is going on and
> we can abort the "connection" attempt.
Seems reasonable; I've coded something up.
> > This removes the potential DoS of wedging passt completely, but raises
> > the possibility of a different one. Could an attacker - not
> > necessarily on the same host, but network-closer than the guest's
> > intended endpoint - prevent the guest from connecting to a particular
> > service by spamming fake reply packets here.
>
> Oops, I didn't think about that, that's also concerning. With my
> suggestion above, 1024 packets is all an attacker would need.
>
> But maybe there's a safe way to deal with this that's still simpler
> than a separate handler: using recvmmsg(), going through msg_name of
> the (truncated) messages we received with it, and trying to draw some
> conclusion about what kind of attack we're dealing with from there. I'm
> not sure exactly which conclusion, though.
>
> > I believe it would need to anticipate the guest's source port to do so,
> > which might be good enough.
>
> Linux does source port randomisation for UDP starting from 2.6.24, so
> that should be good enough, but given that we try to preserve the
> source port from the guest, we might make a guest that doesn't do port
> randomisation (albeit unlikely to be found) vulnerable to this.
Right. It feels like we're at least not making the guest dramatically
more vulnerable to something here, so I'm inclined to treat it as good
enough for now.
--
David Gibson (he or they) | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you, not the other way
| around.
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-07-11 2:52 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-05 2:06 [PATCH v7 00/27] Unified flow table David Gibson
2024-07-05 2:06 ` [PATCH v7 01/27] flow: Common address information for initiating side David Gibson
2024-07-05 2:06 ` [PATCH v7 02/27] flow: Common address information for target side David Gibson
2024-07-10 21:30 ` Stefano Brivio
2024-07-11 0:19 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 03/27] tcp, flow: Remove redundant information, repack connection structures David Gibson
2024-07-05 2:07 ` [PATCH v7 04/27] tcp: Obtain guest address from flowside David Gibson
2024-07-05 2:07 ` [PATCH v7 05/27] tcp: Manage outbound address via flow table David Gibson
2024-07-05 2:07 ` [PATCH v7 06/27] tcp: Simplify endpoint validation using flowside information David Gibson
2024-07-05 2:07 ` [PATCH v7 07/27] tcp_splice: Eliminate SPLICE_V6 flag David Gibson
2024-07-05 2:07 ` [PATCH v7 08/27] tcp, flow: Replace TCP specific hash function with general flow hash David Gibson
2024-07-05 2:07 ` [PATCH v7 09/27] flow, tcp: Generalise TCP hash table to general flow hash table David Gibson
2024-07-05 2:07 ` [PATCH v7 10/27] tcp: Re-use flow hash for initial sequence number generation David Gibson
2024-07-05 2:07 ` [PATCH v7 11/27] icmp: Remove redundant id field from flow table entry David Gibson
2024-07-05 2:07 ` [PATCH v7 12/27] icmp: Obtain destination addresses from the flowsides David Gibson
2024-07-05 2:07 ` [PATCH v7 13/27] icmp: Look up ping flows using flow hash David Gibson
2024-07-05 2:07 ` [PATCH v7 14/27] icmp: Eliminate icmp_id_map David Gibson
2024-07-05 2:07 ` [PATCH v7 15/27] flow: Helper to create sockets based on flowside David Gibson
2024-07-10 21:32 ` Stefano Brivio
2024-07-11 0:21 ` David Gibson
2024-07-11 0:27 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 16/27] icmp: Manage outbound socket address via flow table David Gibson
2024-07-05 2:07 ` [PATCH v7 17/27] flow, tcp: Flow based NAT and port forwarding for TCP David Gibson
2024-07-05 2:07 ` [PATCH v7 18/27] flow, icmp: Use general flow forwarding rules for ICMP David Gibson
2024-07-05 2:07 ` [PATCH v7 19/27] fwd: Update flow forwarding logic for UDP David Gibson
2024-07-08 21:26 ` Stefano Brivio
2024-07-09 0:19 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 20/27] udp: Create flows for datagrams from originating sockets David Gibson
2024-07-09 22:32 ` Stefano Brivio
2024-07-09 23:59 ` David Gibson
2024-07-10 21:35 ` Stefano Brivio
2024-07-11 4:26 ` David Gibson
2024-07-11 8:20 ` Stefano Brivio
2024-07-11 22:58 ` David Gibson
2024-07-12 8:21 ` Stefano Brivio
2024-07-15 4:06 ` David Gibson
2024-07-15 16:37 ` Stefano Brivio
2024-07-17 0:49 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 21/27] udp: Handle "spliced" datagrams with per-flow sockets David Gibson
2024-07-09 22:32 ` Stefano Brivio
2024-07-10 0:23 ` David Gibson
2024-07-10 17:13 ` Stefano Brivio
2024-07-11 1:30 ` David Gibson
2024-07-11 8:23 ` Stefano Brivio
2024-07-11 2:48 ` David Gibson [this message]
2024-07-12 13:34 ` Stefano Brivio
2024-07-15 4:32 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 22/27] udp: Remove obsolete splice tracking David Gibson
2024-07-10 21:36 ` Stefano Brivio
2024-07-11 0:43 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 23/27] udp: Find or create flows for datagrams from tap interface David Gibson
2024-07-10 21:36 ` Stefano Brivio
2024-07-11 0:45 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 24/27] udp: Direct datagrams from host to guest via flow table David Gibson
2024-07-10 21:37 ` Stefano Brivio
2024-07-11 0:46 ` David Gibson
2024-07-05 2:07 ` [PATCH v7 25/27] udp: Remove obsolete socket tracking David Gibson
2024-07-05 2:07 ` [PATCH v7 26/27] udp: Remove rdelta port forwarding maps David Gibson
2024-07-05 2:07 ` [PATCH v7 27/27] udp: Rename UDP listening sockets David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zo9IEGEw68D2SFL2@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=jmaloy@redhat.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).