From: "Richardson, Bruce" <bruce.richardson@intel.com>
To: Hemant Agrawal <hemant.agrawal@nxp.com>,
Olivier Matz <olivier.matz@6wind.com>,
"Wiles, Keith" <keith.wiles@intel.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>, Shreyansh Jain <shreyansh.jain@nxp.com>
Subject: Re: [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum
Date: Tue, 18 Dec 2018 13:12:46 +0000 [thread overview]
Message-ID: <59AF69C657FD0841A61C55336867B5B0727038F9@IRSMSX103.ger.corp.intel.com> (raw)
In-Reply-To: <10fc6b4f-70b2-3200-4289-a86b926b4053@nxp.com>
> -----Original Message-----
> From: Hemant Agrawal [mailto:hemant.agrawal@nxp.com]
> Sent: Tuesday, December 18, 2018 12:50 PM
> To: Richardson, Bruce <bruce.richardson@intel.com>; Olivier Matz
> <olivier.matz@6wind.com>; Wiles, Keith <keith.wiles@intel.com>
> Cc: dev@dpdk.org; Shreyansh Jain <shreyansh.jain@nxp.com>
> Subject: Re: [dpdk-dev] [PATCH 0/2] prevent out of bounds read with
> checksum
>
> HI Bruce,
>
> On 17-Dec-18 9:20 PM, Bruce Richardson wrote:
> > The functions for checksumming the packet payload don't perform bounds
> > checks, and are used by the TAP driver which does not do any bounds
> > checks on the incoming packet either. This means a packet received
> > with an incorrect IP header can read beyond the end of the mbuf.
> >
> > In the worst case, where the length is specified as being smaller than
> > the
> > IPv4 header, 32-bit wrap-around on subtraction occurs, meaning that
> > approx 4GB of memory will be read.
> >
> > To fix this, we can introduce a sanity check into the ipv4 function to
> > ensure that underflow does not occur. Since the checksum function does
> > not take the mbuf length as a parameter, we cannot check for overflow
> > there, so we instead perform the checks in the TAP driver directly.
> >
> > Ideally, in a future release, all checksum functions should be
> > modified to take a max buffer length parameter to fix this issue
> globally.
> >
> > NOTE: It appears that the dpaa driver also uses these functions, but
> > from what I can see there, they are only used on TX, which means that
> > there should be less need for parameter length checking, as the data
> > does not come from an untrusted source. Perhaps maintainers, Hemant
> > and Shreyansh, can confirm?
>
> In DPAA, we are using software based checksum calculation for self
> generated packets largely.
>
> They are mostly trust worthy unless someone is deliberately or mistakenly
> trying to send a corrupt packet.
>
> We will check, if we can also add some checks in DPAA driver in these legs
> without making performance impact for self generated packets.
>
Right. Thanks for confirming it's not on RX path which would be the main risk.
I would assume that data coming from the app should be trusted, unless the
app is deliberately trying to crash itself. :-) (I didn't look to try and fix this
in DPAA because of that assumption, but glad you are looking into it.)
next prev parent reply other threads:[~2018-12-18 13:12 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-17 15:50 Bruce Richardson
2018-12-17 15:50 ` [dpdk-dev] [PATCH 1/2] net: fix underflow for checksum of invalid IPv4 packets Bruce Richardson
2018-12-18 13:15 ` Hemant Agrawal
2018-12-18 13:18 ` Hemant Agrawal
2018-12-17 15:50 ` [dpdk-dev] [PATCH 2/2] net/tap: add buffer overflow checks before checksum Bruce Richardson
2018-12-20 19:08 ` Ferruh Yigit
2018-12-20 19:33 ` Wiles, Keith
2018-12-18 12:50 ` [dpdk-dev] [PATCH 0/2] prevent out of bounds read with checksum Hemant Agrawal
2018-12-18 13:12 ` Richardson, Bruce [this message]
2018-12-20 19:09 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59AF69C657FD0841A61C55336867B5B0727038F9@IRSMSX103.ger.corp.intel.com \
--to=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=keith.wiles@intel.com \
--cc=olivier.matz@6wind.com \
--cc=shreyansh.jain@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).